CGI Script permissions

Paul Howarth paul at city-fan.org
Fri May 26 19:30:17 UTC 2006 

On Fri, 2006-05-26 at 14:18 -0400, Daniel J Walsh wrote: 
> Paul Howarth wrote:
> > I made something similar for my moin wiki running under mod_fcgid:
> >
> > te file:
> >
> > policy_module(apache, 0.2.1)
> >
> > require {
> >         type devpts_t;
> >         type httpd_t;
> >         type httpd_log_t;
> >         type httpd_sys_script_exec_t;
> >         type var_run_t;
> > };
> >
> > # ==========================================================
> > # Create and use httpd_fastcgi_script_t for mod_fcgid apps
> > # ==========================================================
> >
> > apache_content_template(fastcgi)
> > kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
> >
> > # Allow FastCGI applications to live alongside regular CGI apps
> > allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { 
> > search_dir_perms };
> >
> > # Allow FastCGI applications to listen for FastCGI requests on their
> > # sockets and respond to them
> > allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { 
> > rw_stream_socket_perms };
> >
> > # FastCGI application doing something to the httpd error log
> > dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
> >
> > # Not sure what this is doing (happens when fastcgi scripts start)
> > dontaudit httpd_t devpts_t:chr_file ioctl;
> >
> > # mod_fcgid setting attr of its socket dir
> > allow httpd_t var_run_t:dir setattr;
> Why not create a context for its socket dir so you don't need this for 
> var_run?

The obvious type to use would really be httpd_var_run_t rather than
creating a new type (comparing with other users of /var/run). In fact I
think I tried that but it seemed worse than leaving it the default
var_run_t and adding the one allow rule. What would you suggest?

> > fc file:
> >
> > /srv/www/tips/cgi-bin/moin.fcgi -- 
> > gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
> > /var/www/tips/cgi-bin/moin.fcgi -- 
> > gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
> >
> > Paul.
> 
> I think it might be a good idea to add this (fastcgi that is) policy to 
> base.  Have you tried to submit it upstream?

Not yet; it probably needs more work to add further capabilities, as
I've only use one application with FastCGI myself, and I can see that
httpd_sys_script_t has far more capabilities that I've so far allowed to
httpd_fastcgi_script_t. Perhaps there should be a interface that goes
further than apache_content_template and adds capabilities needed by
most server-side scripts (e.g. the kernel_read_kernel_sysctls from
above), for use in developing custom types like httpd_fastcgi_script_t?

Paul.

More information about the fedora-selinux-list mailing list