Page 1 of 1

T subject flag not accepted?

PostPosted: Fri May 18, 2007 9:19 am
by salam
hello,

i'm trying to use T flag for subjects in role apache, but i don't understand why this is not accepted:

Code: Select all
'T' specified in mode for role apache, subject /var/www/localhost/cgi-bin.
/var/www/localhost/cgi-bin's executable object /var/www/localhost/cgi-bin is writable by role apache, subject /usr/sbin/apache2, due to its writable object /var/www.
This would allow /var/www/localhost/cgi-bin to execute trojaned code.


this is a part of ACL for apache2 subject:

Code: Select all
subject /usr/sbin/apache2 o {
...
/var/www rwcdal
/var/www/localhost/cgi-bin rx ### this one has no precedence over /var/www?
...


tried to swith order of that 2 lines, but still getting that message.
i have no idea why i'm getting a warning that apache has write access to cgi-bin, as according to ACL, it has only read and execute permissions for that one directory out of /var/www

EDIT: solved by slightly modifying the ACL this way:
Code: Select all
/var/www
/var/www/* rwcdal
/var/www/localhost/cgi-bin rx