[CentOS] File access in Apache 2.4 (clarification)
Jonathan Billings
billings at negate.org
Tue Nov 21 19:03:25 UTC 2017
On Tue, Nov 21, 2017 at 09:40:27AM -0800, david wrote:
> Jonathan
> Thanks for the advice. If you recommend NOT to use /tmp for cgi
> temporaries, where would you put them and how to name them? And about
> SELINUX, I'll consider that, but I'd like to get this working without
> SELINUX first.
>
> And where should I put "globally readable" files? These files need to be
> readable by all users (including Apache), but writeable only by one user.
> In the past, I've placed them in a Ram disk since I don't want them to
> survive a power--off, and mounted that "device" directory in /tmp/ramdisk.
> It was working perfectly in Centos 5, 6 and 7, with Centos 7 failing within
> the past week or so. I do "yum update" every night.
Does it need to be writable by CGI scripts run by httpd? Then put it
in one of the directories that is automatically labeled
httpd_sys_rw_content_t by selinux. (man httpd_selinux shows those,
you can also run 'semanage fcontext -l | grep httpd_sys_rw_content_t')
Hopefully, it isn't both writable *and* executable by httpd, because
that's just a bad idea, and selinux tries its hardest to prevent it.
Otherwise, if httpd just needs to read the file, choose one of the
directories with one of the read-only labels.
The reason why this started happening in the latest C7 release is
because the unit file (as well as many others) was updated to have a
PrivateTmp, which is an additional security measure, since one of the
most common ways of attacking a system is to try to hit shared files
in locations like /tmp.
--
Jonathan Billings
More information about the CentOS
mailing list