[CentOS] Apache not liking directories outside of /var/www

Fri Jul 31 17:07:56 UTC 2009
Boris Epstein <borepstein at gmail.com>

On Fri, Jul 31, 2009 at 12:50 PM, Jim Perrin<jperrin at gmail.com> wrote:
> On Fri, Jul 31, 2009 at 12:35 PM, Boris Epstein<borepstein at gmail.com> wrote:
>
>> I found an even simplier solution - disabled SELinux. I've got a
>> firewall and that is plenty.
>
> No. It's really not. If someone exploits apache, or php, they'll be
> coming in via port 80 or 443 which your firewall has helpfully allowed
> so that you can run your server. The vast majority of successful
> penetrations I've seen are of two types. Brute ssh attacks, and
> apache/php exloits.   If you were running mod_security, that might be
> slightly more analogous to selinux. I really don't recommend that
> people disable selinux simply because they can't be bothered to learn
> it.
>
> Real world reasons for selinux on web servers ->
> http://www.linuxjournal.com/article/9176
>
>
> --
> During times of universal deceit, telling the truth becomes a revolutionary act.
> George Orwell
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

I am running mod_security and also if the intruder gets to the shell
level they will be able to bypass the SELinux entirely. I believe in
security too but security should not be crippling.

Boris.