Solved

How do you setup Apache web server to open files for writing using CGI scripts?

Posted on 2007-11-20
14
559 Views
Last Modified: 2013-12-25
I am trying to open a file for writing using a CGI script but I am getting a "Permission denied" error.  What do I need to do to write files with the Apache web server?  I set the the directory and file permissions to 755 but this does not work.  
0
Comment
Question by:marcus_carey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
14 Comments
 
LVL 48

Expert Comment

by:Tintin
ID: 20324539
What owner do you have on the directory with 755 perms?  Remember the apache owner will generally be nobody, httpd, or apache.
0
 

Author Comment

by:marcus_carey
ID: 20324716
I had set to apache.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 20324783
Is 'apache' the owner the web server process runs under?
Do you have suexec configured?
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 2

Expert Comment

by:terrydavis
ID: 20324838
Hello,

ps xauwww | grep httpd

Look at the process owner of the httpd processes.   Your file needs to be owned by this person.  
chown apache:apache file

If you have control over the permissions and ownership of this file, suexec is not needed.  


Thanks,
Terry
0
 

Author Comment

by:marcus_carey
ID: 20324860
Here is the output from the grep.

[root@localhost cgi-bin]# ps xauwww | grep httpd
root      9216  0.0  0.0   4044   680 pts/1    R+   17:20   0:00 grep httpd
root     19953  0.0  1.0  27092 10556 ?        Ss   09:39   0:00 /usr/sbin/httpd
apache   19970  0.0  0.5  27092  6068 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19971  0.0  0.5  27092  6052 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19972  0.0  0.5  27092  6068 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19973  0.0  0.5  27092  6068 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19974  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19975  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19976  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
apache   19977  0.0  0.5  27092  6048 ?        S    09:39   0:00 /usr/sbin/httpd
0
 

Author Comment

by:marcus_carey
ID: 20324861
Which file are you talking about?  
0
 
LVL 2

Expert Comment

by:terrydavis
ID: 20324888
If you are trying to edit an existing file, the apache user needs permissions to that file:
chown apache file
chmod 644 file

If you are creating a new file, the apache user needs permissions to the directory.   Use same logic above to set permissions to the directory.
0
 
LVL 48

Accepted Solution

by:
Tintin earned 250 total points
ID: 20324906
Does the file you are trying to write to exist or not?  If it exists, is it owned by apache?

If so, then it maybe SELINUX restricting it.

What's the output of

grep SELINUX /etc/selinux/config
0
 

Author Comment

by:marcus_carey
ID: 20324924
suexec is enabled

[Tue Nov 20 09:39:15 2007] [notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Nov 20 09:39:15 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
0
 
LVL 48

Expert Comment

by:Tintin
ID: 20325132
Unless you really know what you're doing, having SELINUX can be a real pain in the side.  I'd disable it unless you have a strong need for it to be enabled.

0
 

Author Comment

by:marcus_carey
ID: 20325153
Here is the output of the config

[root@localhost ~]# grep SELINUX /etc/selinux/config
# SELINUX= can take one of these three values:
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
SELINUXTYPE=targeted

 
0
 
LVL 2

Assisted Solution

by:terrydavis
terrydavis earned 250 total points
ID: 20325165
I would advise you to set selinux to permissive while you test your script.  Once you have it working, configure selinux to allow your cgi to do it's work and set it back to enforcing.  You can do this in /etc/selinux/config.

0
 

Author Comment

by:marcus_carey
ID: 20325185
The CGI script opens a file for writing.  I have apache installed on my pc for testing and debugging cgi scripts.  

drwxr-xr-x  apache apache system_u:object_r:user_home_t:s0 sessions
0
 

Author Comment

by:marcus_carey
ID: 20325197
I just got a AVC denial pop a window

Summary
    SELinux prevented httpd reading and writing access to http files.

Detailed Description
    SELinux prevented httpd reading and writing access to http files. Ordinarily
    httpd is allowed full access to all files labeled with http file context.
    This machine has a tightened security policy with the httpd_unified turned
    off, this requires explicit labeling of all files.  If a file is a cgi
    script it needs to be labeled with httpd_TYPE_script_exec_t in order to be
    executed.  If it is read-only content, it needs to be labeled
    httpd_TYPE_content_t, it is writable content. it needs to be labeled
    httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon
    command to change these contexts.  Please refer to the man page "man
    httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
    refers to one of "sys", "user" or "staff" or potentially other script types.

Allowing Access
    Changing the "httpd_unified" boolean to true will allow this access:
    "setsebool -P httpd_unified=1"

    The following command will allow this access:
    setsebool -P httpd_unified=1

Additional Information        

Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:httpd_sys_script_exec_t:s0
Target Objects                None [ dir ]
Affected RPM Packages        
Policy RPM                    selinux-policy-3.0.8-53.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_unified
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.23.1-42.fc8 #1 SMP
                              Tue Oct 30 13:55:12 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Tue 20 Nov 2007 06:50:21 PM EST
Last Seen                     Tue 20 Nov 2007 06:50:21 PM EST
Local ID                      76c45bef-fb7f-44b8-8651-85bf1c84346f
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=Store dev=dm-0 name=cgi-bin pid=13296
scontext=system_u:system_r:httpd_sys_script_t:s0 tclass=dir
tcontext=system_u:object_r:httpd_sys_script_exec_t:s0

0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question