Solved

403 Forbidden error when running .exe scripts

Posted on 2006-10-23
12
821 Views
Last Modified: 2007-11-27
Hi,

I have a serious problem when trying to execute scripts on my Fedora Core 4 server with Plesk 8 installed. I have defined a ScriptAlias directory in httpd.conf (really an include file called from httpd.conf) like this:

ScriptAlias /pav_qmail/scripts/ "/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/"
<Directory "/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts">
      AllowOverride None
      Options -Indexes Includes ExecCGI
      AddHandler cgi-script .cgi .exe
      Order allow,deny
      Allow from all
</Directory>

chmod is 750 for the script directory and 755 for the scripts themselves.
chown is <website administrator> and chgrp is "psacln" as suggested by Plesk.
There are no .htaccess files defined.

The exact error message I'm getting in IE 6 is:

"Forbidden
You don't have permission to access /pav_qmail/scripts/VentanaPrincipal.exe on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."

"VentanaPrincipal.exe" is one of the .exe scripts that try to execute.

Can someone help me with this ?

Thanks,
Antonio


0
Comment
Question by:agubaira
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 17793950
> chmod is 750 for the script directory and 755 for the scripts themselves.
> chown is <website administrator> and chgrp is "psacln" as suggested by Plesk.
it says that only owner and group is allowed to execute such script.
But is Your apache running under <website administrator> user or  psacin group? Usually it runs at apache:apache. In such case it's not allowed to execute the file (chmod 0755 would help).
Or You are using suexec for cgi scrips?
0
 

Author Comment

by:agubaira
ID: 17795558
Changing to 755 gives me a server misconfiguration error.
How do I know under which user/group is Apache running ? I guess it's psacln,  because the Plesk forum suggests it. If I change the group to something eles, I also get a server misconfiguration.

And yes, the server uses suexec for cgi scripts. This file is owned by root:apache and has the following attributes: -r-s--x---

Thanks
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17795682
Please refer apache's errorlog to get the real errormessage.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:agubaira
ID: 17796550
error_log:

[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/cgiframeizquierdo.exe denied, referer: http://www.mydomain.com/pav_qmail/html/inicio.html 
[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/cgibotones.exe denied, referer: http://www.mydomain.com/pav_qmail/html/derechoprincipalcastellano.html 
[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/VentanaPrincipal.exe denied, referer: http://www.mydomain.com/pav_qmail/html/derechoprincipalcastellano.html 
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17797102
Looks like suexec is not in use.
error 13 simply means that owner/group/permissions are unsuitable for apache user to execute the script.
For testing purpose try chowning the file to apache user.
0
 

Author Comment

by:agubaira
ID: 17797383
Ok. I chowned "suexec" in both /usr/bin and /usr/sbin directories to "apache" user, restarted Apache and reproduced the error (13).

It comes to my attention that suexec_log file is not being updated.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17797490
No, not the suexec !
change owner of the /pav_qmail/scripts/cgiframeizquierdo.exe and others...
0
 

Author Comment

by:agubaira
ID: 17799414
Sorry. Now I changed ownership of .exe scripts and the problem remains the same. I found the following line in the error log:

Warning: SuexecUserGroup directive requires SUEXEC wrapper.

Looks like suexec is not present. What do you think ? Please confirm ownership and permits of this binary.

Thanks
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 500 total points
ID: 17801255
OK, let's stright some thing first. The suexec binary should look like
-rws--x--x  1 root root 11388 Jun  2  2005 suexec
httpd -l (OR: apache2 -l) should show that suexec is enabled and valid

then each .exe should not be sui/sgid, and should be executeable for all or at least for apache and the owner itself. If it's script(like perl or bash) it also has to be readable by the apache and the owner.

each VirtualHost directive should contain the target user/group for execution. The owner/group of the exe file have to match those.
User  username
Group groupname
The suexec performs many checks on the config and file to execute - refer http://httpd.apache.org/docs/2.0/suexec.html

In case suexec is not enabled (but if You use SuexecUserGroup You expect it to be), then the exe have to be read/execute by apache user (and not the owner of webfolder).
0
 

Author Comment

by:agubaira
ID: 17804365
Ok. I made the following changes and the scripts work !

suexec is: -rwx--x--x root root
script directory is: -rwxr-x--- panda apache
script files are: -rwxr-x--- panda apache         (panda is the owner of the process)

However when I restart apache I get the SuexecUserGroup warning, unless I chmod u+s suexec; but if I do then the scripts fail to work with an "internal server error"
I don't understand a thing...

The httpd -l command only shows the compiled modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c
 
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17804431
And nothing new in the log? Then I don't know.
0
 

Author Comment

by:agubaira
ID: 17805257
Well suexec_log has some new stuff. The thing is that I was making changes and don't know when the error ocurred. I suppose that when the "internal server" error appeared (by changing chmod u+s on suexec):

[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgiframeizquierdo.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/cgiframeizquierdo.exe)
[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgibotones.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/cgibotones.exe)
[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: VentanaPrincipal.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/VentanaPrincipal.exe)

AND

[2006-10-25 11:35:29]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgiframeizquierdo.exe
[2006-10-25 11:35:29]: cannot get docroot information (/var/www/vhosts)
[2006-10-25 11:35:30]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgibotones.exe
[2006-10-25 11:35:30]: cannot get docroot information (/var/www/vhosts)
[2006-10-25 11:35:30]: uid: (10023/cortilista) gid: (10001/10001) cmd: VentanaPrincipal.exe
[2006-10-25 11:35:30]: cannot get docroot information (/var/www/vhosts)

However you lead me to the solution and you got your points and Grade A.

Thank you so much !
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question