On Tue, 2005-05-24 at 08:08, Micha Silver wrote:
The best thing to do is add this to /etc/selinux/config
SELINUX=disabled
And then get on with the real jobs....
Listening to all the pros and cons of SELinux. I'd like to improve the security of our regional web server
using SELinux.
We have a main regional web site and several virtual
domains, kept up by
private users, all on the same server. Some of the private
users want to run
php and database apps on their websites. Up till now I
steered away from
allowing users to run anything on their sites, since a
breakin to any
private virtual domain would endanger the whole http
process, including the
main regional site. I'm preparing to switch over to a new (CentOS 4) machine, and I thought to set up a different SELinux
context for each
virtual domain, so that a vulnerability in someones private
web site would
be isolated and not be able to crash the other domains. Is this achievable *without* SELinux??
The simple-minded way has always been to run a separate http instance bound to a different port or IP address, running as a different user. If you only have one IP address and need to appear to be on port 80, you can arrange this with a virtualhost on the main server that uses proxypass or a rewriterule that results in a proxy connection to the server running under the other uid.
Thanks Les, With several virtual domains, setting each up on a separate port with rewrite rules, and running several httpd processes under different UIDs would quickly become not so "simple-minded"
Regards, Micha
Les Mikesell lesmikesell@gmail.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 2005-05-24 at 10:23, Micha Silver wrote:
I'm preparing to switch over to a new (CentOS 4)
machine, and I thought to set up a different SELinux
context for each
virtual domain, so that a vulnerability in someones private
web site would
be isolated and not be able to crash the other domains. Is this achievable *without* SELinux??
The simple-minded way has always been to run a separate http instance bound to a different port or IP address, running as a different user. If you only have one IP address and need to appear to be on port 80, you can arrange this with a virtualhost on the main server that uses proxypass or a rewriterule that results in a proxy connection to the server running under the other uid.
Thanks Les, With several virtual domains, setting each up on a separate port with rewrite rules, and running several httpd processes under different UIDs would quickly become not so "simple-minded"
It is simple-minded in the sense that all of your existing tools (filesystems, backups, etc.) continue to work in the way you understand and if something breaks you already understand how to track it down and fix it. Processes that run as a user with specific permissions controlled by standard unix attributes have been understood for years. You have to live with some complexity in config files, of course. Hiding these permissions in new attributes that need magic support from the filesystem and have different failure modes doesn't seem simpler to me, though.
-
Les Mikesell -
Micha Silver