Shulou(Shulou.com)06/03 Report--

By changing the SElinux status, it can be determined that when SElinux is turned off, site content access is normal.

[root@master1-192,168117-18 ~] # setenforce 0

[root@master1-192,168117-18 ~] # getenforce

Permissive

[root@master1-192,168117-18 ~] # setenforce 1

[root@master1-192,168117-18 ~] # getenforce 0

Enforcing

View the SElinux security context value of the home directory of the website:

[root@master1-192,168117-18] # ls-Zd / var/www/html/

Drwxr-xr-x. Root root system_u:object_r:httpd_sys_content_t:s0 / var/www/html/

[root@master1-192,168117-18] # ls-Zd / home/wwwroot/

Drwxr-xr-x. Root root system_u:object_r:user_home_dir_t:s0 / home/wwwroot/

Keep the newly added home directory SElinux context value consistent with the system default home directory:

[root@master1-192,168117-18] # semanage fcontext-a-t httpd_sys_content_t / home/wwwroot/*

Note that after implementing the above settings, the website cannot be accessed immediately, and you need to use the restorecon command to set the SELinux security context to take effect immediately. When using the restorecon command, you can add the-Rv parameter to recursively operate on the specified directory and show the modification process of the SELinux security context.

[root@master1-192,168117-18] # restorecon-Rv / home/wwwroot/

Restorecon reset / home/wwwroot context system_u:object_r:user_home_dir_t:s0- > system_u:object_r:httpd_sys_content_t:s0

Restorecon reset / home/wwwroot/index.html context system_u:object_r:user_home_t:s0- > system_u:object_r:httpd_sys_content_t:s0

[root@master1-192,168117-18] # ls-Zd / home/wwwroot/

Drwxr-xr-x. Root root system_u:object_r:httpd_sys_content_t:s0 / home/wwwroot/

[root@master1-192,168117-18] # ^ C

Personal user home page function

Step 1: in the httpd service program, the personal user home page function is not enabled by default. To do this, we need to edit the following configuration file, and then add a pound sign (#) before the UserDir disabled parameter on line 17 to enable the httpd service program to enable the individual user home page function; at the same time, remove the pound sign (#) before the UserDir public_html parameter on line 24 (the UserDir parameter represents the name of the directory where the website data is saved in the user's home directory, that is, the public_html directory). Finally, remember to save it after the modification.

[root@master1-192,168117-18] # vim / etc/httpd/conf.d/userdir.conf

1 #

2 # UserDir: The name of the directory that is appended onto a user's home

3 # directory if a ~ user request is received.

4 #

5 # The path to the end user account 'public_html' directory must be

6 # accessible to the webserver userid. This usually means that ~ userid

7 # must have permissions of 711, ~ userid/public_html must have permissions

8 # of 755, and documents contained therein must be world-readable.

9 # Otherwise, the client will only receive a 403 Forbidden message.

10 #

eleven

12 #

13 # UserDir is disabled by default since it can confirm the presence

14 # of a username on the system (depending on home directory

15 # permissions).

16 #

17 # UserDir disabled

eighteen

19 #

20 # To enable requests to / ~ user/ to serve the user's public_html

21 # directory, remove the "UserDir disabled" line above, and uncomment

22 # the following line instead:

23 #

24 UserDir public_html

twenty-five

twenty-six

27 #

28 # Control access to UserDir directories. The following is an example

29 # for a site where these directories are restricted to read-only.

30 #

thirty-one

32 AllowOverride FileInfo AuthConfig Limit Indexes

33 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

34 Require method GET POST OPTIONS

thirty-five

/ etc/httpd/conf.d/userdir.conf 36L, 1254C has been written

Step 2: set up a directory and the first page file in the user's home directory to save the website data. In addition, you also need to change the permissions of the home directory to 755 to ensure that others also have permission to read the contents.

[aa@master1-192,168117-18] $mkdir public_html

[aa@master1-192,168117-18] $echo "the world is so big, I'll go and have a look!" > public_html/index.html

[aa@master1-192,168117-18] $chmod-Rf 755 / home/aa/

Step 3: restart the httpd service program and enter the URL in the browser's address bar in the format "URL / ~ user name" (where the tilde is required, and there is no space between the URL, tilde, and user name). Theoretically, you can see the user's personal website. Unsurprisingly, the system displays an error page, as shown in figure 10-9. It must still be SELinux's fault.

Step 4: use the getsebool command to query and filter out all security policies related to the HTTP protocol. Where off is prohibited and on is allowed.

[root@master1-192,168117-18] # getsebool-a | grep http

Httpd_anon_write-- > off

Httpd_builtin_scripting-- > on

Httpd_can_check_spam-- > off

Httpd_can_connect_ftp-- > off

Httpd_can_connect_ldap-- > off

Httpd_can_connect_mythtv-- > off

Httpd_can_connect_zabbix-- > off

Httpd_can_network_connect-- > off

Httpd_can_network_connect_cobbler-- > off

Httpd_can_network_connect_db-- > off

Httpd_can_network_memcache-- > off

Httpd_can_network_relay-- > off

Httpd_can_sendmail-- > off

Httpd_dbus_avahi-- > off

Httpd_dbus_sssd-- > off

Httpd_dontaudit_search_dirs-- > off

Httpd_enable_cgi-- > on

Httpd_enable_ftp_server-- > off

Httpd_enable_homedirs-- > off

Httpd_execmem-- > off

Httpd_graceful_shutdown-- > on

Httpd_manage_ipa-- > off

Httpd_mod_auth_ntlm_winbind-- > off

Httpd_mod_auth_pam-- > off

Httpd_read_user_content-- > off

Httpd_run_ipa-- > off

Httpd_run_preupgrade-- > off

Httpd_run_stickshift-- > off

Httpd_serve_cobbler_files-- > off

Httpd_setrlimit-- > off

Httpd_ssi_exec-- > off

Httpd_sys_script_anon_write-- > off

Httpd_tmp_exec-- > off

Httpd_tty_comm-- > off

Httpd_unified-- > off

Httpd_use_cifs-- > off

Httpd_use_fusefs-- > off

Httpd_use_gpg-- > off

Httpd_use_nfs-- > off

Httpd_use_openstack-- > off

Httpd_use_sasl-- > off

Httpd_verify_dns-- > off

Named_tcp_bind_http_port-- > off

Prosody_bind_http_port-- > off

[root@master1-192,168117-18] # setsebool-P httpd_enable_homedirs=on

Access the web page through authentication

Step 1: first use the htpasswd command to generate the password database. The-c parameter indicates the first generation; then add the storage file of the password database and verify the user name to be used (the user does not have to be an existing local account in the system).

[root@master1-192,168117-18] # htpasswd-c / etc/httpd/passwd aa

New password:

Re-type new password:

Adding password for user aa

Step 2: edit the configuration file for the individual user's home page function. Then save and exit the configuration file, and restart the httpd service program to take effect.

[root@master1-192,168117-18] # vim / etc/httpd/conf.d/userdir.conf

1 #

2 # UserDir: The name of the directory that is appended onto a user's home

3 # directory if a ~ user request is received.

4 #

5 # The path to the end user account 'public_html' directory must be

6 # accessible to the webserver userid. This usually means that ~ userid

7 # must have permissions of 711, ~ userid/public_html must have permissions

8 # of 755, and documents contained therein must be world-readable.

9 # Otherwise, the client will only receive a 403 Forbidden message.

10 #

eleven

12 #

13 # UserDir is disabled by default since it can confirm the presence

14 # of a username on the system (depending on home directory

15 # permissions).

16 #

17 # UserDir disabled

eighteen

19 #

20 # To enable requests to / ~ user/ to serve the user's public_html

21 # directory, remove the "UserDir disabled" line above, and uncomment

22 # the following line instead:

23 #

24 UserDir public_html

twenty-five

twenty-six

27 #

28 # Control access to UserDir directories. The following is an example

29 # for a site where these directories are restricted to read-only.

30 #

thirty-one

32 AllowOverride all

33 authuserfile "/ etc/httpd/passwd"

34 authname "My privately website"

35 authtype basic

36 require user aa

thirty-seven

thirty-eight

"/ etc/httpd/conf.d/userdir.conf" 38L, 1217C has been written

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.