I've noticed that SELinux blocks httpd (standard CentOS httpd, simply installed from RPM) from writing to krb5.conf file. Question. Why on earth would httpd need write access to krb5.conf file?! Sure, it might need read access if it is configured to use Kerberos for authentication, but write!? I mean, web server that modifies one of the critical files (which is used for authentication/authorization)?
Aleksandar Milivojevic said:
I've noticed that SELinux blocks httpd (standard CentOS httpd, simply installed from RPM) from writing to krb5.conf file. Question. Why on earth would httpd need write access to krb5.conf file?! Sure, it might need read access if it is configured to use Kerberos for authentication, but write!? I mean, web server that modifies one of the critical files (which is used for authentication/authorization)? _______________________________________________
Allow me to display my ignorance of all thing SELinux:
SELinux is suppossed to restrict services and programs from performing actions that they don't have a need to be doing. Since httpd has no reason to to write to the krb5.conf file, SELinux restricts it. Kind of like a "Need to Know" policy. If you're not familar with Mandatory Access Control, read up on it; I think that is what SELinux is about.
Doug
On Thu, 2005-05-19 at 08:02 -0400, Doug Koobs wrote:
If you're not familar with Mandatory Access Control, read up on it; I think that is what SELinux is about.
MAC is exactly what SELinux is about.
Legacy UNIX permissions and security is DAC, but lacks MAC. It's one of the few details of UNIX design that is a thorn.
Otherwise, legacy UNIX design -- over 35 years old -- has been pretty damn good in the age of the Internet.
Multiuser by default, execute bit, reliance on file magic, not extensions, write access only to user home directory, etc...
Yeah, NT might have MAC. But the majority of Windows applications would be classified as a "root exploit" because they require escalated privileges over what UNIX programs do just to run!
Including many of Microsoft's own.
Quoting Doug Koobs dkoobs@dkoobs.com:
Aleksandar Milivojevic said:
I've noticed that SELinux blocks httpd (standard CentOS httpd, simply installed from RPM) from writing to krb5.conf file. Question. Why on earth would httpd need write access to krb5.conf file?! Sure, it might need read access if it is configured to use Kerberos for authentication, but write!? I mean, web server that modifies one of the critical files (which is used for authentication/authorization)? _______________________________________________
Allow me to display my ignorance of all thing SELinux:
SELinux is suppossed to restrict services and programs from performing actions that they don't have a need to be doing. Since httpd has no reason to to write to the krb5.conf file, SELinux restricts it. Kind of like a "Need to Know" policy. If you're not familar with Mandatory Access Control, read up on it; I think that is what SELinux is about.
Exactly. But that doesn't answer my original question.
SELinux blocked access to the file httpd doesn't need to have access to. However, the question was why on startup httpd attempts to write to that file (or at least open it for writing)?
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
-
Aleksandar Milivojevic -
alex@milivojevic.org
-
Bryan J. Smith -
Doug Koobs