You are not logged in.

#1 2005-08-19 09:44:06

fluke
Member
From: Shaoguan Univ., PRC
Registered: 2005-08-12
Posts: 241
Website

How to prevent excutable files run in the DOCUMENT_ROOT

How to prevent excutable files run in the DOCUMENT_ROOT of the apache server?

I just want it to run in /var/www/cgi-bin but not /var/www/html

As far as I know, there is a module called SELinux in Fedora Core to protect the DOCUMENT_ROOT.

Offline

#2 2005-08-19 15:05:50

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: How to prevent excutable files run in the DOCUMENT_ROOT

that is not the main purpose of selinux.
lol

As for preventing execs from running in doc root..just set the -Executable option on that directory in the apache conf. (or something like that)
Then you just add executable to the cgi-bin dir...it should be setup like that by default..


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2005-08-20 04:08:33

fluke
Member
From: Shaoguan Univ., PRC
Registered: 2005-08-12
Posts: 241
Website

Re: How to prevent excutable files run in the DOCUMENT_ROOT

Yes, I know, its purpose is to protect the whole file system.
But, my web scrpit can exex a command which can output files to any path.
For example, I can exec("gcc foo.c -o /home/fluke/foo");
And I must have exec function work, for my project will run command frequently.
I just want that it can only generate files in some specify paths.

Offline

#4 2005-08-20 04:30:08

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: How to prevent excutable files run in the DOCUMENT_ROOT

I guess i just dont get it. chalk it up to a language barrier, or me not understanding...
if you script is not executable (noexecute setting in apache, not in filesystem) then it shouldn't matter..

if you do want at to be execute, but just want to control "where" it executes, you might consider running a chroot or something early in the script.
and for gods sake..dont allow user input to ever determine a path or filename directly...

/me shivvers


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#5 2005-09-21 08:00:53

fluke
Member
From: Shaoguan Univ., PRC
Registered: 2005-08-12
Posts: 241
Website

Re: How to prevent excutable files run in the DOCUMENT_ROOT

I must do that, for I need to run some programs via php.
I just want to prevent scripts from running in web_root, except some special paths. And I want to implement this function in system layer. Like SELinux do.

Offline

Board footer

Powered by FluxBB