193579 – selinux does not allow uploading to apache default tmp dir.

Bug 193579 - selinux does not allow uploading to apache default tmp dir.

Summary: selinux does not allow uploading to apache default tmp dir.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	selinux-policy-targeted
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-05-30 19:07 UTC by Jim Perrin
Modified:	2007-11-30 22:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	RHBA-2007-0741
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-11-15 16:06:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
StrangeAVCdenied (1.30 KB, text/plain) 2007-08-07 23:21 UTC, Josef Kubin	no flags	Details
it accidentally happened when I was logged off ... (2.22 KB, text/plain) 2007-08-07 23:42 UTC, Josef Kubin	no flags	Details
It hasn't fixed - after uploads it throws following messages - but it works. (1.29 KB, text/plain) 2007-08-13 17:29 UTC, Josef Kubin	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2007:0741	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2007-11-14 17:04:04 UTC

Description Jim Perrin 2006-05-30 19:07:17 UTC

Description of problem:
Unless defined in the php.ini, the default upload directory is /tmp/ which the
selinux policy does not allow apache(via php) to work well with.  

Version-Release number of selected component (if applicable):
selinux-policy-targeted-sources-1.17.30-2.126

How reproducible:
always

Steps to Reproduce:
1. enable selinux
2. use default configs
3. upload file via php to default tmp dir & perform an action
  
Actual results:
php script fails because it does not have getattr permission (and more) in /tmp

Expected results:
script succeeds.

Additional info:
I'm of the opinion the admin should know where files are going, and should
define the temp dir in php accordingly, but this 'should' work if it's the default. 

Creating /var/www/tmp and defining that in php.ini works because it inherits the
permissions from /var/www... Alternative would be to edit the apache contexts
which I'm not about to touch....

Comment 1 Daniel Walsh 2006-06-06 16:40:17 UTC

What avc messages are you seeing?

Comment 2 Jim Perrin 2006-06-06 18:01:16 UTC

Below is an excerpt from /var/log/audit resulting from apache+php performing
actions on a file in temp (specifically a web application unpacking an archive
of photos for processing).

type=CWD msg=audit(1148695347.206:38478):  cwd="/tmp/2/phpdP1fxF"
type=PATH msg=audit(1148695347.206:38478): name="." flags=1  inode=12320797
dev=fd:00 mode=040755 ouid=48 ogid=48 rdev=00
:00
type=AVC msg=audit(1148695347.206:38479): avc:  denied  { search } for 
pid=17058 comm="sh" name="phpdP1fxF" dev=dm-0 ino
=12320797 scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:httpd_tmp_t tclass=dir
type=SYSCALL msg=audit(1148695347.206:38479): arch=40000003 syscall=195
success=no exit=-13 a0=80d178a a1=bfed58d0 a2=65c
ff4 a3=876d750 items=1 pid=17058 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 comm="sh" exe="
/bin/bash"
type=CWD msg=audit(1148695347.206:38479):  cwd="/tmp/2/phpdP1fxF"
type=PATH msg=audit(1148695347.206:38479): name="." flags=1  inode=12320797
dev=fd:00 mode=040755 ouid=48 ogid=48 rdev=00
:00
type=AVC msg=audit(1148695347.210:38480): avc:  denied  { search } for 
pid=17058 comm="sh" name="phpdP1fxF" dev=dm-0 ino
=12320797 scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:httpd_tmp_t tclass=dir
type=SYSCALL msg=audit(1148695347.210:38480): arch=40000003 syscall=195
success=no exit=-13 a0=80d178a a1=bfed57b0 a2=65c
ff4 a3=876d750 items=1 pid=17058 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 comm="sh" exe="
/bin/bash"
type=CWD msg=audit(1148695347.210:38480):  cwd="/tmp/2/phpdP1fxF"
type=PATH msg=audit(1148695347.210:38480): name="." flags=1  inode=12320797
dev=fd:00 mode=040755 ouid=48 ogid=48 rdev=00
:00
type=AVC msg=audit(1148695347.333:38481): avc:  denied  { getattr } for 
pid=17058 comm="unzip" name="phpdP1fxF" dev=dm-0
 ino=12320795 scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:httpd_tmp_t tclass=file
type=SYSCALL msg=audit(1148695347.333:38481): arch=40000003 syscall=195
success=no exit=-13 a0=8072e04 a1=bfe86f1c a2=65c
ff4 a3=bfe86f1c items=1 pid=17058 auid=500 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 comm="unzip" e
xe="/usr/bin/unzip"
type=AVC_PATH msg=audit(1148695347.333:38481):  path="/tmp/phpdP1fxF"
type=CWD msg=audit(1148695347.333:38481):  cwd="/tmp/2/phpdP1fxF"
type=PATH msg=audit(1148695347.333:38481): name="/tmp/phpdP1fxF" flags=1 
inode=12320795 dev=fd:00 mode=0100600 ouid=48 o
gid=48 rdev=00:00

Comment 3 Daniel Walsh 2006-06-06 20:02:41 UTC

Joe and James, does it make sense to allow http cgi scripts to read files
created by the apache daemon in /tmp?  Can you think of anything that apache
might put out there that could be attacked?  Should we setup a boolean to allow
users to use the /tmp directory?  Or force them to create a tmp directory in the
/var/www tree?

Dan

Comment 4 James Antill 2006-06-06 20:52:20 UTC

 My gut feeling is that the defaults for php should move to /var/www/tmp (but
that is internal, not CGI ... no?).

 One obvious problem is that if apache can read /tmp it can see all the
directory enteries for ssh-agent etc. I don't think anything worthwhile is
created in /tmp by apache ... but Joe might know of something.
 Having a bool that allows tmp_t access would be fair enough (but should
probably be off by default ... or it might be good to tie it with the enable_cgi
bool).

Comment 5 Jim Perrin 2006-06-06 21:00:54 UTC

I would rather have apache kept out of /tmp and have it use /var/www/tmp or some
other similar directory. I think selinux is doing the right thing by blocking
/tmp access, but if people are expecting uploads to 'just work' then defining
/var/www/tmp is a quick and simple fix.

Comment 6 Joe Orton 2006-06-07 09:54:01 UTC

There are certainly a few places where PHP will internally create temporary
files as part of normal operation (the gd extension will do it when producing
image output, for example).

I wonder whether creating a new /tmp specifically for use by httpd is a bad
precedent to set; if we need a per-daemon /tmp then some I'd have thought we
could come up with some better way to do it than creating N directories for N
daemons

But yes, doing this would probably be better than giving httpd read access to
/tmp by default, and it would be simple to do.

Comment 7 Jim Perrin 2006-06-07 12:07:30 UTC

I agree that this could become cluttered if it's not handled properly. Currently
there are several instances where there are per-daemon directories already,
/var/cache, /var/log, /etc/ etc, but they're all mostly organized. What about
having something like /tmp/httpd/ or /var/tmp/httpd ? Granted /tmp is fair game
for cleaning and may not be the right choice, but hopefully I'm getting the
general idea across.

Comment 8 Daniel Walsh 2006-06-16 01:56:04 UTC

So we need to change apache, so reassigning bug?

Comment 9 Joe Orton 2006-06-16 09:35:59 UTC

There is no "apache", only "httpd" :)  

But anyway, as I said, we need some distro-wide standard on how to do per-daemon
/tmp, putting one in /var/www just for httpd is not really viable.  It needs to
be tmpwatch-managed, and so it can't be under /tmp or /var/tmp.

Comment 10 Joe Orton 2007-04-25 16:07:02 UTC

In retrospect I can't see why the httpd context can't simply be allowed to read
and write files to /tmp (but not, of course, execute; ability to get directory
listing should also be restricted I guess).  Creating a separate directory seems
like overkill.  Can you make this change in the policy, Dan?

Comment 11 Daniel Walsh 2007-06-21 13:20:17 UTC

Fixed in selinux-policy-targeted-1.17.30-2.146

Comment 12 RHEL Program Management 2007-06-26 15:26:31 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 15 Josef Kubin 2007-08-07 23:18:37 UTC

I can't reproduce it ... What I'm doing wrong? AVC messages maybe generate
leaked descriptor ... Uploads works, even copy files in /tmp by php script.

I have noticed strange thing: when I'm not logged, no "avc: denied" message.
It obviously isn't depending on tested architecture.

# cat /var/www/html/uploader.php
<?php
$target_path = "/tmp/";

chdir($target_path);

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "File ". basename( $_FILES['uploadedfile']['name']). " has been uploaded.";
} else{
    echo "An error.";
}

exec("unzip $target_path");
exec("cp /tmp/test/* .");
?>

# cat /var/www/html/index.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
   "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
<title></title>
</head>
<body>
<form enctype="multipart/form-data" action="uploader.php" method="POST">
Vyber soubor: <input name="uploadedfile" type="file" /><input type="submit"
value="OK" />
</form>
</body>
</html>

# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.145.noarch

# hostname
i386-4as.test.redhat.com

# sestatus
SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_syslog_to_console inactive
allow_ypbind            active
dhcpd_disable_trans     inactive
httpd_builtin_scripting active
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
...

Comment 16 Josef Kubin 2007-08-07 23:21:05 UTC

Created attachment 160870 [details]
StrangeAVCdenied

Comment 17 Josef Kubin 2007-08-07 23:42:25 UTC

Created attachment 160873 [details]
it accidentally happened when I was logged off ...

It is worth to mention, that my pwd after ssh is /root

the path /opt/Errata/2007:0741/tps as you can see in log I created an hour ago.

Comment 18 Daniel Walsh 2007-08-09 18:34:18 UTC

In RHEL4 you need to turn on two booleans to get apache to use nfs

setsebool -P httpd_enable_homedirs=1 use_nfs_home_dirs=1

Comment 19 Josef Kubin 2007-08-13 17:29:14 UTC

Created attachment 161191 [details]
It hasn't fixed - after uploads it throws following messages - but it works.

Test script has been used the same as listed in Comment #15.

# getenforce
Enforcing

# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.146.noarch

# getsebool -a | grep 'httpd_enable_homedirs\|use_nfs_home_dirs'
httpd_enable_homedirs --> active
use_nfs_home_dirs --> active

Comment 22 errata-xmlrpc 2007-11-15 16:06:57 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0741.html

Note You need to log in before you can comment on or make changes to this bug.