Re: apache cron job: msg#00199

On Monday 25 April 2005 18:24, Holger Burde <hburde@xxxxxxxxxxx> wrote:
> I run a FC3 System with the rawhide strict Policy. I have a cron script
> (apache) that needs to read/write files under /var/www/
> { httpd_sys_content_t }. Any idea whats the best (= secure) way to do
> so ? audit2allow suggests this : allow system_crond_t
> httpd_sys_content_t:file write; - maybe there isa better solution?

Cron jobs that deal with data from the net are a risk, potentially if an 
attacker controlled the remote data source they could make repeated attempts 
at manipulating the data to exploit your machine without you realising.

Having a separate domain for the cron job may be best.  But this would require 
writing more policy.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

<Prev in Thread]	Current Thread	[Next in Thread>

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: avc messages corrupted?, Steve G
Next by Date:	Re: New policy for DCC, David Hampton
Previous by Thread:	apache cron job, Holger Burde
Next by Thread:	Re: apache cron job, Holger Burde
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: avc messages corrupted?, Steve G

Next by Date:

Re: New policy for DCC, David Hampton

Previous by Thread:

apache cron job, Holger Burde

Next by Thread:

Re: apache cron job, Holger Burde

Indexes:

[Date] [Thread] [Top] [All Lists]