Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Vulnerability with ssh in OpenSSH in an RHEL installation
Operating Systems Linux Red Hat Vulnerability with ssh in OpenSSH in an RHEL installation Post 302859367 by RHCE on Thursday 3rd of October 2013 02:34:36 AM
Old 10-03-2013
Hi,

I had a query that would applying the updates cause any issues with running services, I do not think they should at all interfere with the services.

As a example, say if there is a webpage hosted and httpd daemon is running, now if the httpd package is updated then should there be any issues with the webpage which is hosted and accessed at present.

I hope my query is clear.

Request you to please revert.
 

6 More Discussions You Might Find Interesting

1. Solaris

Solaris 9, ssh and openssh

I set the RETRIES and DISABLETIME in /etc/default/login on 2 systems: - 1 Solaris 9 system running Sun SSH - 1 Solaris 9 system running Openssh 5.2 P1 I expected that after n failed logins, the login process will hang for n seconds. It does when the attempted login is done at the console... (8 Replies)
Discussion started by: jabentay
8 Replies

2. Red Hat

cannot ssh (use NFS) on RHEL box, but can mount external & ssh out of RHEL box

Ok, Im trying to get NFS working on my RHEL 5 box, apparently i can use the box as a client, but not as a server. If it helps i cant ssh into the box (server), but as a client ssh works fine. Ive configured server: /etc/hosts.allow: all : all all :all@all setup my /etc/exports file... (4 Replies)
Discussion started by: drs.grid
4 Replies

3. Windows & DOS: Issues & Discussions

seteuid access denied - openSSH installation

Hi, I have installed openssh in one of my windows servers following SUA community guidelines. I can successfully install and generate RSA DSA keys. But I cannot SSH to server from my Solaris machine. Below is the output from ssh -v <server>. Also I tried to SSH from the K-shell to localhost... (0 Replies)
Discussion started by: vkk
0 Replies

4. Solaris

Openssh installation instruction ?

Hi , Currently the machine is running with Sun_ssh. I would like to move to Open_ssh. I went through google. Each link shows different directions/ways to install openssh. I am not sure which one to proceed with . Installing OpenSSH Packages - SPARC and Intel x86/Solaris 9 and 10 ... (0 Replies)
Discussion started by: frintocf
0 Replies

5. Red Hat

RHEL 3 and OpenSSH question..

Hey Folks, I currently have several RHEL 3 machines. All of them are running OpenSSH_3.6.1p2, SSH protocols 1.5/2.0 I have a vulnerability issue and need to update OpenSSH to the newest version supported by RHEL 3. The question is: What would that version would be? This is... (1 Reply)
Discussion started by: 300zxmuro
1 Replies

6. Red Hat

Installing OPENSSH 6.2P2 on RHEL 4, 64B failed

make: Leaving directory `/u01/openssh-6.2p2/openbsd-compat' gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -std=gnu99 -I. -I. -DSSHDIR=\"/usr/local/etc\" - D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"... (0 Replies)
Discussion started by: scao
0 Replies

LEARN ABOUT DEBIAN

httpd_selinux

httpd_selinux(8)					httpd Selinux Policy documentation					  httpd_selinux(8)

NAME

       httpd_selinux - Security Enhanced Linux Policy for the httpd daemon

DESCRIPTION

       Security-Enhanced Linux secures the httpd server via flexible mandatory access control.

FILE_CONTEXTS
       SELinux	requires  files  to  have  an  extended attribute to define the file type.  Policy governs the access daemons have to these files.
       SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.

       The following file contexts types are defined for httpd:
       httpd_sys_content_t
       - Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and  disallow	other  non
       sys scripts from access.
       httpd_sys_script_exec_t
       - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
       httpd_sys_content_rw_t
       -  Set  files  with  httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow
       other non sys scripts from access.
       httpd_sys_content_ra_t
       - Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow
       other non sys scripts from access.
       httpd_unconfined_script_exec_t
       -  Set  cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a
       very complex httpd scripts, after exhausting all other options.	It is better to use this script rather than turning off SELinux protection
       for httpd.

NOTE

       With  certain  policies you can define additional file contexts based on roles like user or staff.  httpd_user_script_exec_t can be defined
       where it would only have access to "user" contexts.

SHARING FILES

       If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a  file  context  of  public_content_t  and  pub-
       lic_content_rw_t.   These context allow any of the above domains to read the content.  If you want a particular domain to write to the pub-
       lic_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for httpd you would execute:

       setsebool -P allow_httpd_anon_write=1

       or

       setsebool -P allow_httpd_sys_script_anon_write=1

BOOLEANS

       SELinux policy is customizable based on least access required.  SELinux can be setup to prevent certain http scripts from  working.   httpd
       policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possi-
       ble.

       httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this

       setsebool -P httpd_enable_cgi 1

       SELinux policy for httpd can be setup to not allowed to access users home directories.  If you want to allow access to users home  directo-
       ries you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.

       setsebool -P httpd_enable_homedirs 1
       chcon -R -t httpd_sys_content_t ~user/public_html

       SELinux	policy	for  httpd  can  be  setup  to	not allow access to the controlling terminal.  In most cases this is preferred, because an
       intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password
       to open a certificate file, in these cases, terminal access is required.  Set the httpd_tty_comm boolean to allow terminal access.

       setsebool -P httpd_tty_comm 1

       httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/exe-
       cute.  Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.

       setsebool -P httpd_unified 0

       SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a  vulnerabiltiy	in
       http  from causing a spam attack.  I certain situations, you may want http modules to send mail.  You can turn on the httpd_send_mail bool-
       ean.

       setsebool -P httpd_can_sendmail 1

       httpd can be configured to turn off internal scripting (PHP).  PHP and other
       loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.

       setsebool -P httpd_builtin_scripting 0

       SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.  This would prevent a hacker from break-
       ing  into  you httpd server and attacking other machines.  If you need scripts to be able to connect you can set the httpd_can_network_con-
       nect boolean on.

       setsebool -P httpd_can_network_connect 1

       system-config-selinux is a GUI tool available to customize SELinux policy settings.

AUTHOR

       This manual page was written by Dan Walsh <dwalsh@redhat.com>.

SEE ALSO

       selinux(8), httpd(8), chcon(1), setsebool(8)

dwalsh@redhat.com						    17 Jan 2005 						  httpd_selinux(8)
All times are GMT -4. The time now is 02:56 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy