[CentOS] Apache not liking directories outside of /var/www
Kenneth Porter
shiva at sewingwitch.com
Fri Jul 31 17:50:47 UTC 2009
--On Friday, July 31, 2009 2:07 PM -0400 Boris Epstein
<borepstein at gmail.com> wrote:
> I am running mod_security and also if the intruder gets to the shell
> level they will be able to bypass the SELinux entirely.
How? The selinux commands require root access. First you'd have to get a
root escalation exploit to promote from user apache to root, and then
disable selinux. The exploit in the linked article is stopped because it
can't run the escalation program which was downloaded to /tmp.
> I believe in security too but security should not be crippling.
Do you also disable iptables, because a firewall is too complicated to
configure just to run an IP service?
SELinux is just another kind of firewall, but one between
user/process/resource triplets. As with a good network firewall, it denies
all by default and one selectively allows the triplets that make sense for
one's application.
More information about the CentOS
mailing list