Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options

Re^5: LWP running as cgi

by betterworld (Curate)
on Sep 22, 2008 at 23:10 UTC ( #713118=note: print w/replies, xml ) Need Help??

in reply to Re^4: LWP running as cgi
in thread LWP running as cgi

SELinux is blocking httpd processes from connecting to the net (probably to stop hackers from attacking other machines from httpd)

There is another reason to keep the webserver from accessing the internet. Sometimes web applications have security holes that allow an attacker to execute a program that is available on the net, like with PHP's remote include "feature". Or the attacker's payload (like a spambot or rootkit) might be too big for a vulnerable web form.

While it should be preferable to avoid having security holes in web applications; I think it is prudent to make it hard to exploit a vulnerability to take over a system. Therefore I suggest that you think carefully before disabling these security measures.

Replies are listed 'Best First'.
Re^6: LWP running as cgi
by elwoodblues (Novice) on Sep 23, 2008 at 02:36 UTC
    Yes, you are correct. Like I said above, the best way is to generate a local exclusion policy to lock it to only allow access to what you explicitly need.
    I was mainly interested in finding out what caused this behaviour. I don't run SELinux, and after reading the doco, doubt I ever will until they make it easier to configure. Yes, it is very secure, but is the added complexity required for most installs? Really depends upon your application, but for my laptop running a development web server...naw.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://713118]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (10)
As of 2018-06-19 15:19 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (114 votes). Check out past polls.