You are not logged in.
How to prevent excutable files run in the DOCUMENT_ROOT of the apache server?
I just want it to run in /var/www/cgi-bin but not /var/www/html
As far as I know, there is a module called SELinux in Fedora Core to protect the DOCUMENT_ROOT.
Offline
that is not the main purpose of selinux.
lol
As for preventing execs from running in doc root..just set the -Executable option on that directory in the apache conf. (or something like that)
Then you just add executable to the cgi-bin dir...it should be setup like that by default..
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
Yes, I know, its purpose is to protect the whole file system.
But, my web scrpit can exex a command which can output files to any path.
For example, I can exec("gcc foo.c -o /home/fluke/foo");
And I must have exec function work, for my project will run command frequently.
I just want that it can only generate files in some specify paths.
Offline
I guess i just dont get it. chalk it up to a language barrier, or me not understanding...
if you script is not executable (noexecute setting in apache, not in filesystem) then it shouldn't matter..
if you do want at to be execute, but just want to control "where" it executes, you might consider running a chroot or something early in the script.
and for gods sake..dont allow user input to ever determine a path or filename directly...
/me shivvers
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
I must do that, for I need to run some programs via php.
I just want to prevent scripts from running in web_root, except some special paths. And I want to implement this function in system layer. Like SELinux do.
Offline