[olug] Running commands from web pages.

Daniel Linder dan at linder.org
Wed Feb 9 07:36:30 UTC 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

WARNING: If you are not interested in the slightest about one possible
future of system security, just delete this message now.  It's long and is
probably not of much interest to 95% of the OLUG readership...

Here's to that last 5%! :)

<quote who="Dave Hull">
> Quoting Phil Brutsche <phil at brutsche.us>:
>> SELinux is probably setup to prevent whatever user Apache runs as from
>> doing certain priviledged operations.
>>
>> I bet it'll work if you turn of SELinux ;)
>
> That probably would fix it, I'm guessing you can configure SELinux to
> allow a
> specific user to run arbitrary commands of your choosing, but that's a
> guess.

- From what little I know of SELinux, it goes beyond restricting the basic
running of programs based soley on User/Group/Other file permissions.
SELinux is able to transition just specific rights to a user for the
duration of the program execution and not have to make the program
effectively a root-user process running on the system.

Think of this analogy.  If you're going to a fancy dinner and they have
Valet parking, what keys would you prefere to give to the attendant?
A: Your whole keyring, including your other car keys, your house keys,
your office keys, etc?
B: Just this cars key?
C: A "magic" key that has limits on its use.

Most of us would choose "C" if we had the choice.  Some car manufacturers
do have a "Valet Key" which has imposed limits such as a maximum speed,
maximum acceloration, etc.

With SELinux we have a similar choice with our programs.

In MS-DOS, when you ran any program you were running it like option A.
This program could do anything to the system it was programmed to do.  It
could be a well-behaved wordprocessor, or it *could* be the "format"
command.  It was 100% dependant on the user and the programmer to not make
mistakes.

In classical Unix security, you can setup a normal user account and bless
the program with "effective user" rights by way of the "chmod" command.
If a program was owned by the user "root" and the "chmod u+s" was executed
on that program, then *anyone* running this program was running with
"root" permissions.  Since most programs which knowingly needed that level
of access to the system also took great care to keep the user confined
within it, things worked pretty well.

Now, with the advent of viruses and trojans, a higher level of security is
needed.  With the "Option B" model on computers, it meant that a program
such as a (MS-)WORDprocessor might be installed with these all-encompasing
user powers for fairly pedantic reasons because that was the only way.
When an infected DOCument is opened, that worm has all the rights that the
user has.  The SELinux setup asks "Since when has a wordprocessor needed
the ability to open a socket connection on the network?"  SELinux allows
us to configure our systems so that a program can do the root-level work
it needs to *ONLY* the services that it uses.

I believe the problem Wes was running up against is a rule limiting normal
users from running traceroute which creates arbitrary TCP/IP socket
connections to the local network.

I haven't read it all the way through yet, but this article on SourceForge
goes over allowing a user the use of "traceroute":

https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266

Or a PDF version:

http://www.lurking-grue.org/WritingSELinuxPolicyHOWTO.pdf

Dan

- - - - -
"I do not fear computer,
I fear the lack of them."
 -- Isaac Asimov
GPG fingerprint:9EE8 ABAE 10D3 0B55 C536  E17A 3620 4DCA A533 19BF

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCCb1+NiBNyqUzGb8RAslWAJ4uSd4Vt9nm6WogK2rLtl5RJRInEgCfToW0
Sv8fKI98M5SrUmNXbrrhwqM=
=Tkmx
-----END PGP SIGNATURE-----



More information about the OLUG mailing list