[Apparmor-general] How to configure apparmor to block *.inc to
access from explorer
Seth Arnold
seth.arnold at suse.de
Fri Jun 15 12:59:20 MDT 2007
On Fri, Jun 15, 2007 at 06:20:20PM +0530, Manu V wrote:
> I have some *.php pages and some *.inc pages. I want to configure
> apparmor in such a way that, *.inc should be accessed by *.php only. If
> some one tries to access *.inc from the explorer he should be blocked.
> Ex:
> index.php has welcome.inc file included. Index.php should be allowed to
> access welcome.inc. If user tries to access welcome.inc from the
> explorer, he should be blocked. At present he can see the source code of
> welcome.inc.
> Note: I know to configure in httpd.conf, but I would like to configure
> this in apparmor.
Hello Manu; I can see a few possible implementations of this.
First, assume you run Apache+mod_php:
Install mod_apparmor to provide change_hat() support
Give each individual PHP script its own hat
Make sure the default apache hat does not have access to the .inc files.
The individual hats _will_ need the .inc files.
Second, assume you run Apache+fastci:
Make sure the apache profile does not have access to the .inc files.
Make sure Apache can feed PHP to fastcgi.
Make sure the fastcgi profile can read the .php and .inc files.
Third, assume you use Apache+suexec:
Make sure the apache profile does not have access to the .inc files.
Make sure apache can execute suexec.
Make sure apache's profile has 'px' or 'Px' privileges to suexec.
Make sure suexec's profile can read the .php and .inc files.
Fourth, assume you use Apache + CGI PHP:
Make sure the apache profile does not have access to the .inc files.
Make sure apache can execute php.
Make sure apache's profile has 'px' or 'Px" privileges to php.
Make sure php's profile can read the .php and .inc files.
The first option is probably 'best', in the sense that it is closest to
simple Apache deployment, and should be good enough. change_hat() isn't
a memory protection barrier, so it isn't as good as running a completely
different process, but it's pretty simple to deploy.
The FastCGI option is popular, especially if you've got other reasons to
like FastCGI.
I don't know much about suexec, but I would expect it to be poor.
The CGI PHP option is awful. I wouldn't recommend it to anyone. :)
Hope this helps
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070615/9bda63a6/attachment.pgp
More information about the Apparmor-general
mailing list