Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do you setup Apache web server to open files for writing using CGI scripts?

Posted on 2007-11-20
14
Medium Priority
?
562 Views
Last Modified: 2013-12-25
I am trying to open a file for writing using a CGI script but I am getting a "Permission denied" error.  What do I need to do to write files with the Apache web server?  I set the the directory and file permissions to 755 but this does not work.  
0
Comment
Question by:marcus_carey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
14 Comments
 
LVL 48

Expert Comment

by:Tintin
ID: 20324539
What owner do you have on the directory with 755 perms?  Remember the apache owner will generally be nobody, httpd, or apache.
0
 

Author Comment

by:marcus_carey
ID: 20324716
I had set to apache.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 20324783
Is 'apache' the owner the web server process runs under?
Do you have suexec configured?
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 2

Expert Comment

by:terrydavis
ID: 20324838
Hello,

ps xauwww | grep httpd

Look at the process owner of the httpd processes.   Your file needs to be owned by this person.  
chown apache:apache file

If you have control over the permissions and ownership of this file, suexec is not needed.  


Thanks,
Terry
0
 

Author Comment

by:marcus_carey
ID: 20324860
Here is the output from the grep.

[root@localhost cgi-bin]# ps xauwww | grep httpd
root      9216  0.0  0.0   4044   680 pts/1    R+   17:20   0:00 grep httpd
root     19953  0.0  1.0  27092 10556 ?        Ss   09:39   0:00 /usr/sbin/httpd
apache   19970  0.0  0.5  27092  6068 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19971  0.0  0.5  27092  6052 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19972  0.0  0.5  27092  6068 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19973  0.0  0.5  27092  6068 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19974  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19975  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19976  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19977  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
0
 

Author Comment

by:marcus_carey
ID: 20324861
Which file are you talking about?  
0
 
LVL 2

Expert Comment

by:terrydavis
ID: 20324888
If you are trying to edit an existing file, the apache user needs permissions to that file:
chown apache file
chmod 644 file

If you are creating a new file, the apache user needs permissions to the directory.   Use same logic above to set permissions to the directory.
0
 
LVL 48

Accepted Solution

by:
Tintin earned 1000 total points
ID: 20324906
Does the file you are trying to write to exist or not?  If it exists, is it owned by apache?

If so, then it maybe SELINUX restricting it.

What's the output of

grep SELINUX /etc/selinux/config
0
 

Author Comment

by:marcus_carey
ID: 20324924
suexec is enabled

[Tue Nov 20 09:39:15 2007] [notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Nov 20 09:39:15 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
0
 
LVL 48

Expert Comment

by:Tintin
ID: 20325132
Unless you really know what you're doing, having SELINUX can be a real pain in the side.  I'd disable it unless you have a strong need for it to be enabled.

0
 

Author Comment

by:marcus_carey
ID: 20325153
Here is the output of the config

[root@localhost ~]# grep SELINUX /etc/selinux/config
# SELINUX= can take one of these three values:
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
SELINUXTYPE=targeted

 
0
 
LVL 2

Assisted Solution

by:terrydavis
terrydavis earned 1000 total points
ID: 20325165
I would advise you to set selinux to permissive while you test your script.  Once you have it working, configure selinux to allow your cgi to do it's work and set it back to enforcing.  You can do this in /etc/selinux/config.

0
 

Author Comment

by:marcus_carey
ID: 20325185
The CGI script opens a file for writing.  I have apache installed on my pc for testing and debugging cgi scripts.  

drwxr-xr-x  apache apache system_u:object_r:user_home_t:s0 sessions
0
 

Author Comment

by:marcus_carey
ID: 20325197
I just got a AVC denial pop a window

Summary
    SELinux prevented httpd reading and writing access to http files.

Detailed Description
    SELinux prevented httpd reading and writing access to http files. Ordinarily
    httpd is allowed full access to all files labeled with http file context.
    This machine has a tightened security policy with the httpd_unified turned
    off, this requires explicit labeling of all files.  If a file is a cgi
    script it needs to be labeled with httpd_TYPE_script_exec_t in order to be
    executed.  If it is read-only content, it needs to be labeled
    httpd_TYPE_content_t, it is writable content. it needs to be labeled
    httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon
    command to change these contexts.  Please refer to the man page "man
    httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
    refers to one of "sys", "user" or "staff" or potentially other script types.

Allowing Access
    Changing the "httpd_unified" boolean to true will allow this access:
    "setsebool -P httpd_unified=1"

    The following command will allow this access:
    setsebool -P httpd_unified=1

Additional Information        

Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:httpd_sys_script_exec_t:s0
Target Objects                None [ dir ]
Affected RPM Packages        
Policy RPM                    selinux-policy-3.0.8-53.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_unified
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.23.1-42.fc8 #1 SMP
                              Tue Oct 30 13:55:12 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Tue 20 Nov 2007 06:50:21 PM EST
Last Seen                     Tue 20 Nov 2007 06:50:21 PM EST
Local ID                      76c45bef-fb7f-44b8-8651-85bf1c84346f
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=Store dev=dm-0 name=cgi-bin pid=13296
scontext=system_u:system_r:httpd_sys_script_t:s0 tclass=dir
tcontext=system_u:object_r:httpd_sys_script_exec_t:s0

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question