Solved

How do you setup Apache web server to open files for writing using CGI scripts?

Posted on 2007-11-20
14
545 Views
Last Modified: 2013-12-25
I am trying to open a file for writing using a CGI script but I am getting a "Permission denied" error.  What do I need to do to write files with the Apache web server?  I set the the directory and file permissions to 755 but this does not work.  
0
Comment
Question by:marcus_carey
  • 7
  • 4
  • 3
14 Comments
 
LVL 48

Expert Comment

by:Tintin
ID: 20324539
What owner do you have on the directory with 755 perms?  Remember the apache owner will generally be nobody, httpd, or apache.
0
 

Author Comment

by:marcus_carey
ID: 20324716
I had set to apache.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 20324783
Is 'apache' the owner the web server process runs under?
Do you have suexec configured?
0
 
LVL 2

Expert Comment

by:terrydavis
ID: 20324838
Hello,

ps xauwww | grep httpd

Look at the process owner of the httpd processes.   Your file needs to be owned by this person.  
chown apache:apache file

If you have control over the permissions and ownership of this file, suexec is not needed.  


Thanks,
Terry
0
 

Author Comment

by:marcus_carey
ID: 20324860
Here is the output from the grep.

[root@localhost cgi-bin]# ps xauwww | grep httpd
root      9216  0.0  0.0   4044   680 pts/1    R+   17:20   0:00 grep httpd
root     19953  0.0  1.0  27092 10556 ?        Ss   09:39   0:00 /usr/sbin/httpd
apache   19970  0.0  0.5  27092  6068 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19971  0.0  0.5  27092  6052 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19972  0.0  0.5  27092  6068 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19973  0.0  0.5  27092  6068 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19974  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19975  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19976  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19977  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
0
 

Author Comment

by:marcus_carey
ID: 20324861
Which file are you talking about?  
0
 
LVL 2

Expert Comment

by:terrydavis
ID: 20324888
If you are trying to edit an existing file, the apache user needs permissions to that file:
chown apache file
chmod 644 file

If you are creating a new file, the apache user needs permissions to the directory.   Use same logic above to set permissions to the directory.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 48

Accepted Solution

by:
Tintin earned 250 total points
ID: 20324906
Does the file you are trying to write to exist or not?  If it exists, is it owned by apache?

If so, then it maybe SELINUX restricting it.

What's the output of

grep SELINUX /etc/selinux/config
0
 

Author Comment

by:marcus_carey
ID: 20324924
suexec is enabled

[Tue Nov 20 09:39:15 2007] [notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Nov 20 09:39:15 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
0
 
LVL 48

Expert Comment

by:Tintin
ID: 20325132
Unless you really know what you're doing, having SELINUX can be a real pain in the side.  I'd disable it unless you have a strong need for it to be enabled.

0
 

Author Comment

by:marcus_carey
ID: 20325153
Here is the output of the config

[root@localhost ~]# grep SELINUX /etc/selinux/config
# SELINUX= can take one of these three values:
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
SELINUXTYPE=targeted

 
0
 
LVL 2

Assisted Solution

by:terrydavis
terrydavis earned 250 total points
ID: 20325165
I would advise you to set selinux to permissive while you test your script.  Once you have it working, configure selinux to allow your cgi to do it's work and set it back to enforcing.  You can do this in /etc/selinux/config.

0
 

Author Comment

by:marcus_carey
ID: 20325185
The CGI script opens a file for writing.  I have apache installed on my pc for testing and debugging cgi scripts.  

drwxr-xr-x  apache apache system_u:object_r:user_home_t:s0 sessions
0
 

Author Comment

by:marcus_carey
ID: 20325197
I just got a AVC denial pop a window

Summary
    SELinux prevented httpd reading and writing access to http files.

Detailed Description
    SELinux prevented httpd reading and writing access to http files. Ordinarily
    httpd is allowed full access to all files labeled with http file context.
    This machine has a tightened security policy with the httpd_unified turned
    off, this requires explicit labeling of all files.  If a file is a cgi
    script it needs to be labeled with httpd_TYPE_script_exec_t in order to be
    executed.  If it is read-only content, it needs to be labeled
    httpd_TYPE_content_t, it is writable content. it needs to be labeled
    httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon
    command to change these contexts.  Please refer to the man page "man
    httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
    refers to one of "sys", "user" or "staff" or potentially other script types.

Allowing Access
    Changing the "httpd_unified" boolean to true will allow this access:
    "setsebool -P httpd_unified=1"

    The following command will allow this access:
    setsebool -P httpd_unified=1

Additional Information        

Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:httpd_sys_script_exec_t:s0
Target Objects                None [ dir ]
Affected RPM Packages        
Policy RPM                    selinux-policy-3.0.8-53.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_unified
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.23.1-42.fc8 #1 SMP
                              Tue Oct 30 13:55:12 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Tue 20 Nov 2007 06:50:21 PM EST
Last Seen                     Tue 20 Nov 2007 06:50:21 PM EST
Local ID                      76c45bef-fb7f-44b8-8651-85bf1c84346f
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=Store dev=dm-0 name=cgi-bin pid=13296
scontext=system_u:system_r:httpd_sys_script_t:s0 tclass=dir
tcontext=system_u:object_r:httpd_sys_script_exec_t:s0

0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now