[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Adding two new booleans to httpd to tighten it's security.

Nicklas Norling wrote:
Daniel J Walsh wrote:

Currently policy allows httpd to connect to relay ports and to mysql/postgres ports.

Adding these booleans
   * httpd_can_network_relay
   * httpd_can_network_connect_db

And turning this feature off by default. This is going into tonights reference policy and into FC4 test release. If we had these turned off we would have prevented the last apache worm virus. This could cause problems for people who run httpd relays or have their apache databases talking to mysql and postgres databases over the network.

I'm sorry but I don't understand most of what you write. What is relay ports? What worm are you refering to?
In the default targeted policy in FC4/RHEL4 apache is allowed to attach to the Apache ports 80. 8080 and a few others like ftp etc. This boolean would allow users who do not want their apache servers to be able to connect out. Most apache servers do not relay requests to other machines, and this would just enforce this policy. A worm that came out over the last couple of months attacked PHP and apache and once a machine was infected launched attacks on other web servers inside your private network. If the new policy was in place this worm/attack would have been thwarted. Apache currently is not allowed to connect to random ports including the mail port. You have to turn that on a boolean if you want apache to connect to these other ports. These new
booleans would just close all remaining ports that apache could connect to.
I find nothing googling and the latest worms I could find was a defect in apache or openssl. I'm conserned that this is going in without any discussion, or have I missed somerhing?
This is the discussion. I have not put out a fc4 RELEASE YET. I am looking for peoples comments before we turn this on.
I'm guessing most FC4 users having apache setup are using different kind of applications in PHP, Python, Perl etc. that they run. Forums, portals, Wikis, blogs etc. Most, if not all, uses the network to connect to the local email server and to store/retreive data from a database.
Connecting to the local database should not be a problem, since that would be over a unix domain socket. Mail is currently shut off and you need to turn on boolean to allow it.
Installing a policy that breaks their services will be
very determinental to the trust of selinux. I suppose those services will be left semi-functional after such an update and that manual intervention is required to restore service. That would be close to a DOS attack in my oppinion.

We could leave the boolean turned on, but then most customers would not get the security increase.
You can turn the features back on by executing:
setsebool -P httpd_can_network_relay=1
setsebool -P httpd_can_network_connect_db=1

Will consider adding this feature to RHEL in a future update.


Please elaborate, what problem is being solved here? What will the consequences be for end users?

It will prevent a hacked Apache/PHP server from being able to launch attacks on other servers. The consequences for most users would be nil. Some will break their service, until they set the boolean, if we default to off.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]