Solved

403 Forbidden error when running .exe scripts

Posted on 2006-10-23
12
810 Views
Last Modified: 2007-11-27
Hi,

I have a serious problem when trying to execute scripts on my Fedora Core 4 server with Plesk 8 installed. I have defined a ScriptAlias directory in httpd.conf (really an include file called from httpd.conf) like this:

ScriptAlias /pav_qmail/scripts/ "/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/"
<Directory "/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts">
      AllowOverride None
      Options -Indexes Includes ExecCGI
      AddHandler cgi-script .cgi .exe
      Order allow,deny
      Allow from all
</Directory>

chmod is 750 for the script directory and 755 for the scripts themselves.
chown is <website administrator> and chgrp is "psacln" as suggested by Plesk.
There are no .htaccess files defined.

The exact error message I'm getting in IE 6 is:

"Forbidden
You don't have permission to access /pav_qmail/scripts/VentanaPrincipal.exe on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."

"VentanaPrincipal.exe" is one of the .exe scripts that try to execute.

Can someone help me with this ?

Thanks,
Antonio


0
Comment
Question by:agubaira
  • 6
  • 6
12 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 17793950
> chmod is 750 for the script directory and 755 for the scripts themselves.
> chown is <website administrator> and chgrp is "psacln" as suggested by Plesk.
it says that only owner and group is allowed to execute such script.
But is Your apache running under <website administrator> user or  psacin group? Usually it runs at apache:apache. In such case it's not allowed to execute the file (chmod 0755 would help).
Or You are using suexec for cgi scrips?
0
 

Author Comment

by:agubaira
ID: 17795558
Changing to 755 gives me a server misconfiguration error.
How do I know under which user/group is Apache running ? I guess it's psacln,  because the Plesk forum suggests it. If I change the group to something eles, I also get a server misconfiguration.

And yes, the server uses suexec for cgi scripts. This file is owned by root:apache and has the following attributes: -r-s--x---

Thanks
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17795682
Please refer apache's errorlog to get the real errormessage.
0
 

Author Comment

by:agubaira
ID: 17796550
error_log:

[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/cgiframeizquierdo.exe denied, referer: http://www.mydomain.com/pav_qmail/html/inicio.html 
[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/cgibotones.exe denied, referer: http://www.mydomain.com/pav_qmail/html/derechoprincipalcastellano.html 
[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/VentanaPrincipal.exe denied, referer: http://www.mydomain.com/pav_qmail/html/derechoprincipalcastellano.html 
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17797102
Looks like suexec is not in use.
error 13 simply means that owner/group/permissions are unsuitable for apache user to execute the script.
For testing purpose try chowning the file to apache user.
0
 

Author Comment

by:agubaira
ID: 17797383
Ok. I chowned "suexec" in both /usr/bin and /usr/sbin directories to "apache" user, restarted Apache and reproduced the error (13).

It comes to my attention that suexec_log file is not being updated.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 43

Expert Comment

by:ravenpl
ID: 17797490
No, not the suexec !
change owner of the /pav_qmail/scripts/cgiframeizquierdo.exe and others...
0
 

Author Comment

by:agubaira
ID: 17799414
Sorry. Now I changed ownership of .exe scripts and the problem remains the same. I found the following line in the error log:

Warning: SuexecUserGroup directive requires SUEXEC wrapper.

Looks like suexec is not present. What do you think ? Please confirm ownership and permits of this binary.

Thanks
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 500 total points
ID: 17801255
OK, let's stright some thing first. The suexec binary should look like
-rws--x--x  1 root root 11388 Jun  2  2005 suexec
httpd -l (OR: apache2 -l) should show that suexec is enabled and valid

then each .exe should not be sui/sgid, and should be executeable for all or at least for apache and the owner itself. If it's script(like perl or bash) it also has to be readable by the apache and the owner.

each VirtualHost directive should contain the target user/group for execution. The owner/group of the exe file have to match those.
User  username
Group groupname
The suexec performs many checks on the config and file to execute - refer http://httpd.apache.org/docs/2.0/suexec.html

In case suexec is not enabled (but if You use SuexecUserGroup You expect it to be), then the exe have to be read/execute by apache user (and not the owner of webfolder).
0
 

Author Comment

by:agubaira
ID: 17804365
Ok. I made the following changes and the scripts work !

suexec is: -rwx--x--x root root
script directory is: -rwxr-x--- panda apache
script files are: -rwxr-x--- panda apache         (panda is the owner of the process)

However when I restart apache I get the SuexecUserGroup warning, unless I chmod u+s suexec; but if I do then the scripts fail to work with an "internal server error"
I don't understand a thing...

The httpd -l command only shows the compiled modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c
 
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17804431
And nothing new in the log? Then I don't know.
0
 

Author Comment

by:agubaira
ID: 17805257
Well suexec_log has some new stuff. The thing is that I was making changes and don't know when the error ocurred. I suppose that when the "internal server" error appeared (by changing chmod u+s on suexec):

[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgiframeizquierdo.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/cgiframeizquierdo.exe)
[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgibotones.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/cgibotones.exe)
[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: VentanaPrincipal.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/VentanaPrincipal.exe)

AND

[2006-10-25 11:35:29]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgiframeizquierdo.exe
[2006-10-25 11:35:29]: cannot get docroot information (/var/www/vhosts)
[2006-10-25 11:35:30]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgibotones.exe
[2006-10-25 11:35:30]: cannot get docroot information (/var/www/vhosts)
[2006-10-25 11:35:30]: uid: (10023/cortilista) gid: (10001/10001) cmd: VentanaPrincipal.exe
[2006-10-25 11:35:30]: cannot get docroot information (/var/www/vhosts)

However you lead me to the solution and you got your points and Grade A.

Thank you so much !
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IBM HTTP Server Log rotation 5 146
Maintain Parameters on URL throughout Site (PHP) 6 32
PHP Register global 21 77
phpPgAdmin problem 14 87
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now