Solved

403 Forbidden error when running .exe scripts

Posted on 2006-10-23
12
809 Views
Last Modified: 2007-11-27
Hi,

I have a serious problem when trying to execute scripts on my Fedora Core 4 server with Plesk 8 installed. I have defined a ScriptAlias directory in httpd.conf (really an include file called from httpd.conf) like this:

ScriptAlias /pav_qmail/scripts/ "/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/"
<Directory "/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts">
      AllowOverride None
      Options -Indexes Includes ExecCGI
      AddHandler cgi-script .cgi .exe
      Order allow,deny
      Allow from all
</Directory>

chmod is 750 for the script directory and 755 for the scripts themselves.
chown is <website administrator> and chgrp is "psacln" as suggested by Plesk.
There are no .htaccess files defined.

The exact error message I'm getting in IE 6 is:

"Forbidden
You don't have permission to access /pav_qmail/scripts/VentanaPrincipal.exe on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."

"VentanaPrincipal.exe" is one of the .exe scripts that try to execute.

Can someone help me with this ?

Thanks,
Antonio


0
Comment
Question by:agubaira
  • 6
  • 6
12 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 17793950
> chmod is 750 for the script directory and 755 for the scripts themselves.
> chown is <website administrator> and chgrp is "psacln" as suggested by Plesk.
it says that only owner and group is allowed to execute such script.
But is Your apache running under <website administrator> user or  psacin group? Usually it runs at apache:apache. In such case it's not allowed to execute the file (chmod 0755 would help).
Or You are using suexec for cgi scrips?
0
 

Author Comment

by:agubaira
ID: 17795558
Changing to 755 gives me a server misconfiguration error.
How do I know under which user/group is Apache running ? I guess it's psacln,  because the Plesk forum suggests it. If I change the group to something eles, I also get a server misconfiguration.

And yes, the server uses suexec for cgi scripts. This file is owned by root:apache and has the following attributes: -r-s--x---

Thanks
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17795682
Please refer apache's errorlog to get the real errormessage.
0
 

Author Comment

by:agubaira
ID: 17796550
error_log:

[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/cgiframeizquierdo.exe denied, referer: http://www.mydomain.com/pav_qmail/html/inicio.html
[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/cgibotones.exe denied, referer: http://www.mydomain.com/pav_qmail/html/derechoprincipalcastellano.html
[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/VentanaPrincipal.exe denied, referer: http://www.mydomain.com/pav_qmail/html/derechoprincipalcastellano.html
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17797102
Looks like suexec is not in use.
error 13 simply means that owner/group/permissions are unsuitable for apache user to execute the script.
For testing purpose try chowning the file to apache user.
0
 

Author Comment

by:agubaira
ID: 17797383
Ok. I chowned "suexec" in both /usr/bin and /usr/sbin directories to "apache" user, restarted Apache and reproduced the error (13).

It comes to my attention that suexec_log file is not being updated.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 43

Expert Comment

by:ravenpl
ID: 17797490
No, not the suexec !
change owner of the /pav_qmail/scripts/cgiframeizquierdo.exe and others...
0
 

Author Comment

by:agubaira
ID: 17799414
Sorry. Now I changed ownership of .exe scripts and the problem remains the same. I found the following line in the error log:

Warning: SuexecUserGroup directive requires SUEXEC wrapper.

Looks like suexec is not present. What do you think ? Please confirm ownership and permits of this binary.

Thanks
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 500 total points
ID: 17801255
OK, let's stright some thing first. The suexec binary should look like
-rws--x--x  1 root root 11388 Jun  2  2005 suexec
httpd -l (OR: apache2 -l) should show that suexec is enabled and valid

then each .exe should not be sui/sgid, and should be executeable for all or at least for apache and the owner itself. If it's script(like perl or bash) it also has to be readable by the apache and the owner.

each VirtualHost directive should contain the target user/group for execution. The owner/group of the exe file have to match those.
User  username
Group groupname
The suexec performs many checks on the config and file to execute - refer http://httpd.apache.org/docs/2.0/suexec.html

In case suexec is not enabled (but if You use SuexecUserGroup You expect it to be), then the exe have to be read/execute by apache user (and not the owner of webfolder).
0
 

Author Comment

by:agubaira
ID: 17804365
Ok. I made the following changes and the scripts work !

suexec is: -rwx--x--x root root
script directory is: -rwxr-x--- panda apache
script files are: -rwxr-x--- panda apache         (panda is the owner of the process)

However when I restart apache I get the SuexecUserGroup warning, unless I chmod u+s suexec; but if I do then the scripts fail to work with an "internal server error"
I don't understand a thing...

The httpd -l command only shows the compiled modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c
 
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17804431
And nothing new in the log? Then I don't know.
0
 

Author Comment

by:agubaira
ID: 17805257
Well suexec_log has some new stuff. The thing is that I was making changes and don't know when the error ocurred. I suppose that when the "internal server" error appeared (by changing chmod u+s on suexec):

[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgiframeizquierdo.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/cgiframeizquierdo.exe)
[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgibotones.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/cgibotones.exe)
[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: VentanaPrincipal.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/VentanaPrincipal.exe)

AND

[2006-10-25 11:35:29]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgiframeizquierdo.exe
[2006-10-25 11:35:29]: cannot get docroot information (/var/www/vhosts)
[2006-10-25 11:35:30]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgibotones.exe
[2006-10-25 11:35:30]: cannot get docroot information (/var/www/vhosts)
[2006-10-25 11:35:30]: uid: (10023/cortilista) gid: (10001/10001) cmd: VentanaPrincipal.exe
[2006-10-25 11:35:30]: cannot get docroot information (/var/www/vhosts)

However you lead me to the solution and you got your points and Grade A.

Thank you so much !
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now