Solved

403 Forbidden error when running .exe scripts

Posted on 2006-10-23
12
823 Views
Last Modified: 2007-11-27
Hi,

I have a serious problem when trying to execute scripts on my Fedora Core 4 server with Plesk 8 installed. I have defined a ScriptAlias directory in httpd.conf (really an include file called from httpd.conf) like this:

ScriptAlias /pav_qmail/scripts/ "/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/"
<Directory "/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts">
      AllowOverride None
      Options -Indexes Includes ExecCGI
      AddHandler cgi-script .cgi .exe
      Order allow,deny
      Allow from all
</Directory>

chmod is 750 for the script directory and 755 for the scripts themselves.
chown is <website administrator> and chgrp is "psacln" as suggested by Plesk.
There are no .htaccess files defined.

The exact error message I'm getting in IE 6 is:

"Forbidden
You don't have permission to access /pav_qmail/scripts/VentanaPrincipal.exe on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."

"VentanaPrincipal.exe" is one of the .exe scripts that try to execute.

Can someone help me with this ?

Thanks,
Antonio


0
Comment
Question by:agubaira
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 17793950
> chmod is 750 for the script directory and 755 for the scripts themselves.
> chown is <website administrator> and chgrp is "psacln" as suggested by Plesk.
it says that only owner and group is allowed to execute such script.
But is Your apache running under <website administrator> user or  psacin group? Usually it runs at apache:apache. In such case it's not allowed to execute the file (chmod 0755 would help).
Or You are using suexec for cgi scrips?
0
 

Author Comment

by:agubaira
ID: 17795558
Changing to 755 gives me a server misconfiguration error.
How do I know under which user/group is Apache running ? I guess it's psacln,  because the Plesk forum suggests it. If I change the group to something eles, I also get a server misconfiguration.

And yes, the server uses suexec for cgi scripts. This file is owned by root:apache and has the following attributes: -r-s--x---

Thanks
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17795682
Please refer apache's errorlog to get the real errormessage.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:agubaira
ID: 17796550
error_log:

[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/cgiframeizquierdo.exe denied, referer: http://www.mydomain.com/pav_qmail/html/inicio.html 
[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/cgibotones.exe denied, referer: http://www.mydomain.com/pav_qmail/html/derechoprincipalcastellano.html 
[Tue Oct 24 11:00:47 2006] [error] [client 201.249.39.181] (13)Permission denied: access to /pav_qmail/scripts/VentanaPrincipal.exe denied, referer: http://www.mydomain.com/pav_qmail/html/derechoprincipalcastellano.html 
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17797102
Looks like suexec is not in use.
error 13 simply means that owner/group/permissions are unsuitable for apache user to execute the script.
For testing purpose try chowning the file to apache user.
0
 

Author Comment

by:agubaira
ID: 17797383
Ok. I chowned "suexec" in both /usr/bin and /usr/sbin directories to "apache" user, restarted Apache and reproduced the error (13).

It comes to my attention that suexec_log file is not being updated.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17797490
No, not the suexec !
change owner of the /pav_qmail/scripts/cgiframeizquierdo.exe and others...
0
 

Author Comment

by:agubaira
ID: 17799414
Sorry. Now I changed ownership of .exe scripts and the problem remains the same. I found the following line in the error log:

Warning: SuexecUserGroup directive requires SUEXEC wrapper.

Looks like suexec is not present. What do you think ? Please confirm ownership and permits of this binary.

Thanks
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 500 total points
ID: 17801255
OK, let's stright some thing first. The suexec binary should look like
-rws--x--x  1 root root 11388 Jun  2  2005 suexec
httpd -l (OR: apache2 -l) should show that suexec is enabled and valid

then each .exe should not be sui/sgid, and should be executeable for all or at least for apache and the owner itself. If it's script(like perl or bash) it also has to be readable by the apache and the owner.

each VirtualHost directive should contain the target user/group for execution. The owner/group of the exe file have to match those.
User  username
Group groupname
The suexec performs many checks on the config and file to execute - refer http://httpd.apache.org/docs/2.0/suexec.html

In case suexec is not enabled (but if You use SuexecUserGroup You expect it to be), then the exe have to be read/execute by apache user (and not the owner of webfolder).
0
 

Author Comment

by:agubaira
ID: 17804365
Ok. I made the following changes and the scripts work !

suexec is: -rwx--x--x root root
script directory is: -rwxr-x--- panda apache
script files are: -rwxr-x--- panda apache         (panda is the owner of the process)

However when I restart apache I get the SuexecUserGroup warning, unless I chmod u+s suexec; but if I do then the scripts fail to work with an "internal server error"
I don't understand a thing...

The httpd -l command only shows the compiled modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c
 
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17804431
And nothing new in the log? Then I don't know.
0
 

Author Comment

by:agubaira
ID: 17805257
Well suexec_log has some new stuff. The thing is that I was making changes and don't know when the error ocurred. I suppose that when the "internal server" error appeared (by changing chmod u+s on suexec):

[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgiframeizquierdo.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/cgiframeizquierdo.exe)
[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgibotones.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/cgibotones.exe)
[2006-10-25 11:03:15]: uid: (10023/cortilista) gid: (10001/10001) cmd: VentanaPrincipal.exe
[2006-10-25 11:03:15]: command not in docroot (/opt/pandasoftware/lib/pav_qmail/cgi-bin/scripts/VentanaPrincipal.exe)

AND

[2006-10-25 11:35:29]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgiframeizquierdo.exe
[2006-10-25 11:35:29]: cannot get docroot information (/var/www/vhosts)
[2006-10-25 11:35:30]: uid: (10023/cortilista) gid: (10001/10001) cmd: cgibotones.exe
[2006-10-25 11:35:30]: cannot get docroot information (/var/www/vhosts)
[2006-10-25 11:35:30]: uid: (10023/cortilista) gid: (10001/10001) cmd: VentanaPrincipal.exe
[2006-10-25 11:35:30]: cannot get docroot information (/var/www/vhosts)

However you lead me to the solution and you got your points and Grade A.

Thank you so much !
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question