Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual page 248
Hide thumbs
Also See for LINUX ENTERPRISE SERVER 11 - SECURITY:
- Installation (5 pages) ,
- Administration manual (452 pages)
Table of Contents
Advertisement
20.4.1 Immunizing Web Applications
To find Web applications, investigate your Web server configuration. The Apache Web
server is highly configurable and Web applications can be stored in many directories,
depending on your local configuration. SUSE Linux Enterprise Server, by default,
stores Web applications in /srv/www/cgi-bin/. To the maximum extent possible,
each Web application should have an Novell AppArmor profile.
Once you find these programs, you can use the AppArmor Add Profile Wizard to create
profiles for them. Refer to
Because CGI programs are executed by the Apache Web server, the profile for Apache
itself, usr.sbin.httpd2-prefork for Apache2 on SUSE Linux Enterprise
Server, must be modified to add execute permissions to each of these programs. For
instance, adding the line /srv/www/cgi-bin/my_hit_counter.pl rpx grants
Apache permission to execute the Perl script my_hit_counter.pl and requires
that there be a dedicated profile for my_hit_counter.pl. If my_hit_counter
.pl does not have a dedicated profile associated with it, the rule should say
/srv/www/cgi-bin/my_hit_counter.pl rix to cause my_hit_counter
.pl to inherit the usr.sbin.httpd2-prefork profile.
Some users might find it inconvenient to specify execute permission for every CGI
script that Apache might invoke. Instead, the administrator can grant controlled access
to collections of CGI scripts. For instance, adding the line
/srv/www/cgi-bin/*.{pl,py,pyc} rix allows Apache to execute all files
in /srv/www/cgi-bin/ ending in .pl (Perl scripts) and .py or .pyc (Python
scripts). As above, the ix part of the rule causes Python scripts to inherit the Apache
profile, which is appropriate if you do not want to write individual profiles for each
Python script.
NOTE
If you want the subprocess confinement module (apache2-mod-apparmor)
functionality when Web applications handle Apache modules (mod_perl and
mod_php), use the ChangeHat features when you add a profile in YaST or at
the command line. To take advantage of the subprocess confinement, refer to
Section 25.1, "Apache ChangeHat"
234
Security Guide
Section 23.1, "Adding a Profile Using the Wizard"
(page 316).
(page 267).
Advertisement
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for Novell LINUX ENTERPRISE SERVER 11 - SECURITY
Related Products for Novell LINUX ENTERPRISE SERVER 11 - SECURITY
- NOVELL LINUX ENTERPRISE DESKTOP 10 - IPRINT CLIENT
- NOVELL LINUX ENTERPRISE DESKTOP 11 - OPENOFFICE
- NOVELL LINUX ENTERPRISE SERVER 10 - STORAGE ADMINISTRATION GUIDE FOR EVMS
- NOVELL LINUX ENTERPRISE SERVER 11 - STORAGE ADMINISTRATION GUIDE 2-23-2010
- NOVELL LINUX ENTERPRISE SERVER 11 - DEPLOYMENT
- NOVELL LINUX ENTERPRISE SERVER 11 - VIRTUALIZATION
- NOVELL LINUX ENTERPRISE SERVER STARTER SYSTEM
- NOVELL LINUX ENTERPRISE DESKTOP 10
- NOVELL LINUX ENTERPRISE SERVER 10 SP2 - VIRTUALIZATION WITH XEN
- Novell eBook Reader
- NOVELL LINUX ENTERPRISE DESKTOP 11 - GNOME
- NOVELL LINUX ENTERPRISE DESKTOP 11 - KDE
- NOVELL LINUX ENTERPRISE DESKTOP 11 - ADMINISTRATION GUIDE 17-03-2009
- NOVELL LINUX ENTERPRISE DESKTOP 11 - GNOME 17-03-2009
- NOVELL LINUX ENTERPRISE DESKTOP 11 - KDE 17-03-2009
- Novell 3.6 05-2008
Need help?
Do you have a question about the LINUX ENTERPRISE SERVER 11 - SECURITY and is the answer not in the manual?