• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 567
  • Last Modified:

How do you setup Apache web server to open files for writing using CGI scripts?

I am trying to open a file for writing using a CGI script but I am getting a "Permission denied" error.  What do I need to do to write files with the Apache web server?  I set the the directory and file permissions to 755 but this does not work.  
0
marcus_carey
Asked:
marcus_carey
  • 7
  • 4
  • 3
2 Solutions
 
TintinCommented:
What owner do you have on the directory with 755 perms?  Remember the apache owner will generally be nobody, httpd, or apache.
0
 
marcus_careyAuthor Commented:
I had set to apache.
0
 
TintinCommented:
Is 'apache' the owner the web server process runs under?
Do you have suexec configured?
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
terrydavisCommented:
Hello,

ps xauwww | grep httpd

Look at the process owner of the httpd processes.   Your file needs to be owned by this person.  
chown apache:apache file

If you have control over the permissions and ownership of this file, suexec is not needed.  


Thanks,
Terry
0
 
marcus_careyAuthor Commented:
Here is the output from the grep.

[root@localhost cgi-bin]# ps xauwww | grep httpd
root      9216  0.0  0.0   4044   680 pts/1    R+   17:20   0:00 grep httpd
root     19953  0.0  1.0  27092 10556 ?        Ss   09:39   0:00 /usr/sbin/httpd
apache   19970  0.0  0.5  27092  6068 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19971  0.0  0.5  27092  6052 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19972  0.0  0.5  27092  6068 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19973  0.0  0.5  27092  6068 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19974  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19975  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19976  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19977  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
0
 
marcus_careyAuthor Commented:
Which file are you talking about?  
0
 
terrydavisCommented:
If you are trying to edit an existing file, the apache user needs permissions to that file:
chown apache file
chmod 644 file

If you are creating a new file, the apache user needs permissions to the directory.   Use same logic above to set permissions to the directory.
0
 
TintinCommented:
Does the file you are trying to write to exist or not?  If it exists, is it owned by apache?

If so, then it maybe SELINUX restricting it.

What's the output of

grep SELINUX /etc/selinux/config
0
 
marcus_careyAuthor Commented:
suexec is enabled

[Tue Nov 20 09:39:15 2007] [notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Nov 20 09:39:15 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
0
 
TintinCommented:
Unless you really know what you're doing, having SELINUX can be a real pain in the side.  I'd disable it unless you have a strong need for it to be enabled.

0
 
marcus_careyAuthor Commented:
Here is the output of the config

[root@localhost ~]# grep SELINUX /etc/selinux/config
# SELINUX= can take one of these three values:
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
SELINUXTYPE=targeted

 
0
 
terrydavisCommented:
I would advise you to set selinux to permissive while you test your script.  Once you have it working, configure selinux to allow your cgi to do it's work and set it back to enforcing.  You can do this in /etc/selinux/config.

0
 
marcus_careyAuthor Commented:
The CGI script opens a file for writing.  I have apache installed on my pc for testing and debugging cgi scripts.  

drwxr-xr-x  apache apache system_u:object_r:user_home_t:s0 sessions
0
 
marcus_careyAuthor Commented:
I just got a AVC denial pop a window

Summary
    SELinux prevented httpd reading and writing access to http files.

Detailed Description
    SELinux prevented httpd reading and writing access to http files. Ordinarily
    httpd is allowed full access to all files labeled with http file context.
    This machine has a tightened security policy with the httpd_unified turned
    off, this requires explicit labeling of all files.  If a file is a cgi
    script it needs to be labeled with httpd_TYPE_script_exec_t in order to be
    executed.  If it is read-only content, it needs to be labeled
    httpd_TYPE_content_t, it is writable content. it needs to be labeled
    httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon
    command to change these contexts.  Please refer to the man page "man
    httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
    refers to one of "sys", "user" or "staff" or potentially other script types.

Allowing Access
    Changing the "httpd_unified" boolean to true will allow this access:
    "setsebool -P httpd_unified=1"

    The following command will allow this access:
    setsebool -P httpd_unified=1

Additional Information        

Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:httpd_sys_script_exec_t:s0
Target Objects                None [ dir ]
Affected RPM Packages        
Policy RPM                    selinux-policy-3.0.8-53.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_unified
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.23.1-42.fc8 #1 SMP
                              Tue Oct 30 13:55:12 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Tue 20 Nov 2007 06:50:21 PM EST
Last Seen                     Tue 20 Nov 2007 06:50:21 PM EST
Local ID                      76c45bef-fb7f-44b8-8651-85bf1c84346f
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=Store dev=dm-0 name=cgi-bin pid=13296
scontext=system_u:system_r:httpd_sys_script_t:s0 tclass=dir
tcontext=system_u:object_r:httpd_sys_script_exec_t:s0

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now