i'm trying to use T flag for subjects in role apache, but i don't understand why this is not accepted:
- Code: Select all
'T' specified in mode for role apache, subject /var/www/localhost/cgi-bin.
/var/www/localhost/cgi-bin's executable object /var/www/localhost/cgi-bin is writable by role apache, subject /usr/sbin/apache2, due to its writable object /var/www.
This would allow /var/www/localhost/cgi-bin to execute trojaned code.
this is a part of ACL for apache2 subject:
- Code: Select all
subject /usr/sbin/apache2 o {
...
/var/www rwcdal
/var/www/localhost/cgi-bin rx ### this one has no precedence over /var/www?
...
tried to swith order of that 2 lines, but still getting that message.
i have no idea why i'm getting a warning that apache has write access to cgi-bin, as according to ACL, it has only read and execute permissions for that one directory out of /var/www
EDIT: solved by slightly modifying the ACL this way:
- Code: Select all
/var/www
/var/www/* rwcdal
/var/www/localhost/cgi-bin rx