On Friday 25 January 2008 16:01:37 Scott Bambrough wrote: > We are working on a management tool that attempts to setup > mod-auth-shadow to work on RedHat 5.1 with SELinux in enforcing mode. > > Based on the following excerpt from the httpd_selinux man page: > > "If you want to share files with multiple domains (Apache, FTP, rsync, > Samba), you can set a file context of public_content_t and > public_content_rw_t.
This type is for web content - not trusted databases. > we have set the file context of /etc/shadow to public_content_t. The > file permissions remain unchanged, only root can read the file. > > [EMAIL PROTECTED] ~]# ls -alZ /etc/shadow > -r-------- root root root:object_r:public_content_t /etc/shadow This makes shadow readable by apache (assuming it had root privs) and as such can now serve shadow to anyone able to request it. That would be a severe security policy violation. > This almost works correctly: > 1) mod-auth-shadow works correctly > 2) can manage users via command line tools (useradd/usermod/userdel etc.) > 3) system-config-users can manage users > 4) my management tool can manage users > > I have some problems with this setup however: > > 1) I'm not sure of all the implications of changing the file context of > /etc/shadow to public_content_t. Basically I'm getting confused as to > how someone or some process gets write permissions to the file. Do not work with shadow directly from a web server. The most trusted of all databases cannot be made readable/writable to an external facing, potentially compromised daemon. Apache trying to write to shadow would be indicative of an Intrusion attempt. > 2) An rpm that attempts to add a user in a pre/post install script fails > to add the user. useradd is denied write access to /etc/shadow. Is the rpm command being run from apache? > 3) I get a lot of the following SELinux alerts: > > SELinux is preventing /sbin/unix_update (updpwd_t) "read" to shadow > (public_content_t). Yep. restorecon /etc/shadow will fix that. > Do I have to set the file context of /etc/shadow to public_content_rw_t, > and set a boolean to allow anonymous writes? There doesn't seem to be > any such boolean for rpm. What exactly were you trying to do? -Steve _______________________________________________ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
