Bug 193579 - selinux does not allow uploading to apache default tmp dir.
selinux does not allow uploading to apache default tmp dir.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-30 15:07 EDT by Jim Perrin
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2007-0741
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-15 11:06:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
StrangeAVCdenied (1.30 KB, text/plain)
2007-08-07 19:21 EDT, Josef Kubin
no flags Details
it accidentally happened when I was logged off ... (2.22 KB, text/plain)
2007-08-07 19:42 EDT, Josef Kubin
no flags Details
It hasn't fixed - after uploads it throws following messages - but it works. (1.29 KB, text/plain)
2007-08-13 13:29 EDT, Josef Kubin
no flags Details

  None (edit)
Description Jim Perrin 2006-05-30 15:07:17 EDT
Description of problem:
Unless defined in the php.ini, the default upload directory is /tmp/ which the
selinux policy does not allow apache(via php) to work well with.  

Version-Release number of selected component (if applicable):
selinux-policy-targeted-sources-1.17.30-2.126

How reproducible:
always

Steps to Reproduce:
1. enable selinux
2. use default configs
3. upload file via php to default tmp dir & perform an action
  
Actual results:
php script fails because it does not have getattr permission (and more) in /tmp

Expected results:
script succeeds.

Additional info:
I'm of the opinion the admin should know where files are going, and should
define the temp dir in php accordingly, but this 'should' work if it's the default. 

Creating /var/www/tmp and defining that in php.ini works because it inherits the
permissions from /var/www... Alternative would be to edit the apache contexts
which I'm not about to touch....
Comment 1 Daniel Walsh 2006-06-06 12:40:17 EDT
What avc messages are you seeing?
Comment 2 Jim Perrin 2006-06-06 14:01:16 EDT
Below is an excerpt from /var/log/audit resulting from apache+php performing
actions on a file in temp (specifically a web application unpacking an archive
of photos for processing).

type=CWD msg=audit(1148695347.206:38478):  cwd="/tmp/2/phpdP1fxF"
type=PATH msg=audit(1148695347.206:38478): name="." flags=1  inode=12320797
dev=fd:00 mode=040755 ouid=48 ogid=48 rdev=00
:00
type=AVC msg=audit(1148695347.206:38479): avc:  denied  { search } for 
pid=17058 comm="sh" name="phpdP1fxF" dev=dm-0 ino
=12320797 scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:httpd_tmp_t tclass=dir
type=SYSCALL msg=audit(1148695347.206:38479): arch=40000003 syscall=195
success=no exit=-13 a0=80d178a a1=bfed58d0 a2=65c
ff4 a3=876d750 items=1 pid=17058 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 comm="sh" exe="
/bin/bash"
type=CWD msg=audit(1148695347.206:38479):  cwd="/tmp/2/phpdP1fxF"
type=PATH msg=audit(1148695347.206:38479): name="." flags=1  inode=12320797
dev=fd:00 mode=040755 ouid=48 ogid=48 rdev=00
:00
type=AVC msg=audit(1148695347.210:38480): avc:  denied  { search } for 
pid=17058 comm="sh" name="phpdP1fxF" dev=dm-0 ino
=12320797 scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:httpd_tmp_t tclass=dir
type=SYSCALL msg=audit(1148695347.210:38480): arch=40000003 syscall=195
success=no exit=-13 a0=80d178a a1=bfed57b0 a2=65c
ff4 a3=876d750 items=1 pid=17058 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 comm="sh" exe="
/bin/bash"
type=CWD msg=audit(1148695347.210:38480):  cwd="/tmp/2/phpdP1fxF"
type=PATH msg=audit(1148695347.210:38480): name="." flags=1  inode=12320797
dev=fd:00 mode=040755 ouid=48 ogid=48 rdev=00
:00
type=AVC msg=audit(1148695347.333:38481): avc:  denied  { getattr } for 
pid=17058 comm="unzip" name="phpdP1fxF" dev=dm-0
 ino=12320795 scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:httpd_tmp_t tclass=file
type=SYSCALL msg=audit(1148695347.333:38481): arch=40000003 syscall=195
success=no exit=-13 a0=8072e04 a1=bfe86f1c a2=65c
ff4 a3=bfe86f1c items=1 pid=17058 auid=500 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 comm="unzip" e
xe="/usr/bin/unzip"
type=AVC_PATH msg=audit(1148695347.333:38481):  path="/tmp/phpdP1fxF"
type=CWD msg=audit(1148695347.333:38481):  cwd="/tmp/2/phpdP1fxF"
type=PATH msg=audit(1148695347.333:38481): name="/tmp/phpdP1fxF" flags=1 
inode=12320795 dev=fd:00 mode=0100600 ouid=48 o
gid=48 rdev=00:00
Comment 3 Daniel Walsh 2006-06-06 16:02:41 EDT
Joe and James, does it make sense to allow http cgi scripts to read files
created by the apache daemon in /tmp?  Can you think of anything that apache
might put out there that could be attacked?  Should we setup a boolean to allow
users to use the /tmp directory?  Or force them to create a tmp directory in the
/var/www tree?

Dan
Comment 4 James Antill 2006-06-06 16:52:20 EDT
 My gut feeling is that the defaults for php should move to /var/www/tmp (but
that is internal, not CGI ... no?).

 One obvious problem is that if apache can read /tmp it can see all the
directory enteries for ssh-agent etc. I don't think anything worthwhile is
created in /tmp by apache ... but Joe might know of something.
 Having a bool that allows tmp_t access would be fair enough (but should
probably be off by default ... or it might be good to tie it with the enable_cgi
bool).
Comment 5 Jim Perrin 2006-06-06 17:00:54 EDT
I would rather have apache kept out of /tmp and have it use /var/www/tmp or some
other similar directory. I think selinux is doing the right thing by blocking
/tmp access, but if people are expecting uploads to 'just work' then defining
/var/www/tmp is a quick and simple fix. 
Comment 6 Joe Orton 2006-06-07 05:54:01 EDT
There are certainly a few places where PHP will internally create temporary
files as part of normal operation (the gd extension will do it when producing
image output, for example).

I wonder whether creating a new /tmp specifically for use by httpd is a bad
precedent to set; if we need a per-daemon /tmp then some I'd have thought we
could come up with some better way to do it than creating N directories for N
daemons

But yes, doing this would probably be better than giving httpd read access to
/tmp by default, and it would be simple to do.
Comment 7 Jim Perrin 2006-06-07 08:07:30 EDT
I agree that this could become cluttered if it's not handled properly. Currently
there are several instances where there are per-daemon directories already,
/var/cache, /var/log, /etc/ etc, but they're all mostly organized. What about
having something like /tmp/httpd/ or /var/tmp/httpd ? Granted /tmp is fair game
for cleaning and may not be the right choice, but hopefully I'm getting the
general idea across.
Comment 8 Daniel Walsh 2006-06-15 21:56:04 EDT
So we need to change apache, so reassigning bug?
Comment 9 Joe Orton 2006-06-16 05:35:59 EDT
There is no "apache", only "httpd" :)  

But anyway, as I said, we need some distro-wide standard on how to do per-daemon
/tmp, putting one in /var/www just for httpd is not really viable.  It needs to
be tmpwatch-managed, and so it can't be under /tmp or /var/tmp.
Comment 10 Joe Orton 2007-04-25 12:07:02 EDT
In retrospect I can't see why the httpd context can't simply be allowed to read
and write files to /tmp (but not, of course, execute; ability to get directory
listing should also be restricted I guess).  Creating a separate directory seems
like overkill.  Can you make this change in the policy, Dan?
Comment 11 Daniel Walsh 2007-06-21 09:20:17 EDT
Fixed in selinux-policy-targeted-1.17.30-2.146
Comment 12 RHEL Product and Program Management 2007-06-26 11:26:31 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 15 Josef Kubin 2007-08-07 19:18:37 EDT
I can't reproduce it ... What I'm doing wrong? AVC messages maybe generate
leaked descriptor ... Uploads works, even copy files in /tmp by php script.

I have noticed strange thing: when I'm not logged, no "avc: denied" message.
It obviously isn't depending on tested architecture.

# cat /var/www/html/uploader.php
<?php
$target_path = "/tmp/";

chdir($target_path);

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "File ". basename( $_FILES['uploadedfile']['name']). " has been uploaded.";
} else{
    echo "An error.";
}

exec("unzip $target_path");
exec("cp /tmp/test/* .");
?>

# cat /var/www/html/index.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
   "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
<title></title>
</head>
<body>
<form enctype="multipart/form-data" action="uploader.php" method="POST">
Vyber soubor: <input name="uploadedfile" type="file" /><input type="submit"
value="OK" />
</form>
</body>
</html>

# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.145.noarch

# hostname
i386-4as.test.redhat.com

# sestatus
SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_syslog_to_console inactive
allow_ypbind            active
dhcpd_disable_trans     inactive
httpd_builtin_scripting active
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
...
Comment 16 Josef Kubin 2007-08-07 19:21:05 EDT
Created attachment 160870 [details]
StrangeAVCdenied
Comment 17 Josef Kubin 2007-08-07 19:42:25 EDT
Created attachment 160873 [details]
it accidentally happened when I was logged off ...

It is worth to mention, that my pwd after ssh is /root

the path /opt/Errata/2007:0741/tps as you can see in log I created an hour ago.
Comment 18 Daniel Walsh 2007-08-09 14:34:18 EDT
In RHEL4 you need to turn on two booleans to get apache to use nfs

setsebool -P httpd_enable_homedirs=1 use_nfs_home_dirs=1
Comment 19 Josef Kubin 2007-08-13 13:29:14 EDT
Created attachment 161191 [details]
It hasn't fixed - after uploads it throws following messages - but it works.

Test script has been used the same as listed in Comment #15.

# getenforce
Enforcing

# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.146.noarch

# getsebool -a | grep 'httpd_enable_homedirs\|use_nfs_home_dirs'
httpd_enable_homedirs --> active
use_nfs_home_dirs --> active
Comment 22 errata-xmlrpc 2007-11-15 11:06:57 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0741.html

Note You need to log in before you can comment on or make changes to this bug.