RBAC for apache +multiuser +directory browsing problem

Submit your RBAC policies or suggest policy improvements

RBAC for apache +multiuser +directory browsing problem

Postby klajosh » Wed Jan 05, 2005 8:25 am

Hi All,

I'm putting together a webserver. The config:
Debian woody
php -through suphp so the scripts run as cgi
perl-cgi -through suexec (those acls will be anounced later)
mysql

First I would like to create a per user acls, that every web site owner can
reach only their files/directories through web. My problem is if I run this
php, one of the users home directory I can see the directory/file list:


<?php
/*
* Assume document root is /var/www
*/

$location = '../'; // Move up one directory
$parent = dir($location);

// List the contents of the current directory
// i.e.: /usr/local/websites
while($entry = $parent->read()) {
echo $entry . '<br>';
}
$parent->close();

?>

So in one word i don't want to allow to run this type of scripts.
Can I somehow handle this situation with grsec?
Thanks in advance

Andras

ACLS:

--------------------------------------------------------
1. acl:
--------------------------------------------------------
role apache u
subject / {
/ h
/etc h
/etc/group r
/etc/passwd r
/usr h
/usr/lib/apache/suexec x
/usr/sbin/suphp x
/var r
/var/www r
/var/www/* r
/var/log h
-CAP_ALL
bind disabled
connect disabled
}

subject /usr/lib/apache/suexec o {
/ h
/etc h
/etc/group r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/passwd r
/lib rx
/usr h
/usr/lib/apache/suexec x
/usr/lib/libexpat.so.1.0.0 rx
/usr/share/zoneinfo/Europe/Warsav r
/var h
/var/log/apache
/var/log/apache/suexec.log a
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}

subject /usr/sbin/suphp o {
/ h
/etc h
/etc/group r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/passwd r
/lib h
/lib/ld-2.2.5.so x
/lib/libc-2.2.5.so rx
/lib/libnsl-2.2.5.so rx
/lib/libnss_compat-2.2.5.so rx
/usr h
/usr/sbin/suphp x
/usr/share/zoneinfo/Europe/Warsav r
/var h
/var/log h
/var/log/apache
/var/log/apache/suphp_log a
/var/www r
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}

--------------------------------------------------------
2. acl:
--------------------------------------------------------

role webuser u
subject / {
/ h
/usr/lib/cgi-bin/php4 x
/var/www r
/var/www/webuser_home r
/var/www/webuser_home/* r
-CAP_ALL
bind disabled
connect disabled
}

subject /usr/lib/cgi-bin/php4 o {
/ h
/var r
/var/log h
/etc r
/lib/ld-2.2.5.so x
/etc/ld.so.cache rx
/lib r
/lib/libcrypt-2.2.5.so rx
/lib/libnsl-2.2.5.so rx
/lib/libdb2.so.2.7.7 rx
/lib/libresolv-2.2.5.so rx
/lib/libm-2.2.5.so rx
/lib/libdl-2.2.5.so rx
/lib/libc-2.2.5.so rx
/lib/libnss_files-2.2.5.so rx
/usr/lib r
/usr/lib/libexpat.so.1.0.0 rx
/usr/lib/libbz2.so.1.0.2 rx
/usr/lib/libz.so.1.1.4 rx
/usr/lib/libssl.so.0.9.6 rx
/usr/lib/libcrypto.so.0.9.6 rx
/usr/lib/libt1.so.1.3.1 rx
/usr/lib/libfreetype.so.6.3.0 rx
/usr/lib/libpng.so.2.1.0.12 rx
/usr/lib/libjpeg.so.62.0.0 rx
/usr/X11R6/lib r
/usr/X11R6/lib/libX11.so.6.2 rx
/usr/X11R6/lib/libXpm.so.4.11 rx
/usr/share/zoneinfo/Europe/Warsav r
/etc/php4/cgi/php.ini r
/etc/nsswitch.conf r
/usr/share/misc/magic.mime r
/usr/lib/php4/20020429/mysql.so rx
/usr/lib/php4/20020429/gd.so rx
/var/www/webuser_home r
/var/www/webuser_home/*.php r
/var/run/mysqld/mysqld.sock rw
bind disabled
connect disabled
}
klajosh
 
Posts: 7
Joined: Tue Aug 31, 2004 8:55 am

Postby klajosh » Thu Jan 06, 2005 5:09 am

ok. this entry solved my problem:
subject /usr/lib/cgi-bin/php4 o {
....
/var/www h
....
}
klajosh
 
Posts: 7
Joined: Tue Aug 31, 2004 8:55 am


Return to RBAC policy development

cron