You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Gi...@ct.infn.it on 2005/01/07 18:11:03 UTC
[users@httpd] Using several cgi-bin directories
Hi,
I am using httpd-2.0.52-3.1 on Fedora Core 3. My httpd.conf is attached,
for your perusal.
I need a ScriptAlias directory located in a non-default path.
I then duplicated the ScriptAlias entry as follows:
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
ScriptAlias /cgi-bin/koha/ "/usr/local/koha/intranet/cgi-bin/"
I even tried having a single
ScriptAlias /cgi-bin/ "/usr/local/koha/intranet/cgi-bin/"
All the steps in the path above are chmod o+x
The CGI script is a very simple test perl file, which prints out a
familiar "Hello world!" string.
It is chmod o+x as well, and the output is fine if I call it as
http://localhost/cgi-bin/test.pl
while
http://localhost/cgi-bin/koha/test.pl
generates an "Internal Server Error", with the following lines in the
error_log file:
[error] [client 127.0.0.1] (13)Permission denied: exec of '/usr/local/koha/intranet/cgi-bin/test.pl' failed
[error] [client 127.0.0.1] Premature end of script headers: test.pl
Needless to say, test.pl _does_ work from shell, and _does_ produce the
expected result, when called within a browser in the standard /cgi-bin/
directory.
Interestingly, it also works if I copy test.pl to /var/www/cgi-bin2/, say,
and correspondingly define a
ScriptAlias /cgi-bin2/ "/var/www/cgi-bin2/"
in httpd.conf.
For all that matters, here's an ls -la of /usr/sbin/suexec
-r-s--x--- 1 root apache 10760 Nov 11 16:39 /usr/sbin/suexec
Something else quite strange, is that everything worked fine on RedHat
9.0, running httpd-2.0.40-21.
Any help will be much appreciated!
Thanks.
Giuseppe.
Re: [users@httpd] Using several cgi-bin directories
Posted by Gi...@ct.infn.it.
Dear Leif,
thanks again for your stimulating suggestions.
> Although I have known of its existence for a few years, I have
> absolutely no experience with SELinux. It required changes to the
> filesystem which I never seem to get time to get around to researching.
> But if I had it preconfigured, I'd be reluctant to disable it
> permanently.
It turned out that SELinux can possibly coexist with apache. It is just a
question of setting the "context" of files and directories consistently.
The "context" of a file can be listed with ls -Z, and changed with chcon.
(These features seem to be absent in RedHat 9.0.)
Best regards and many thanks again.
Giuseppe.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using several cgi-bin directories
Posted by Leif W <wa...@usa.net>.
> Giuseppe.Angilella@ct.infn.it; 2005 January 08 Saturday 02:54
>
> provided it was placed in /var/www/cgi-bin (or /var/www/cgi-bin2, with
> appropriate entries in httpd.conf).
So the SELinux which you mentioned below, may have been configured to
only allow from this filesystem hierarchy.
>> correct to me (with the addition of Options ExecCGI), but I would not
>> exclude the possibility that something does not seem right to Apache
>> (either with or without good reasons which I don't understand at the
>> moment), as evidenced by other non-hierarchical ScriptAlias locations
>> apparently working. I have in
>
> That was it.
Well, everything looked ok to me, so it is likely that it was SELinux
which saw something it didn't like.
> I "simply" had to disable the SELinux protection for the httpd daemon.
> (Same for the mysqld daemon, but that was not present in my FC3
> standard configuration.)
>
> I didn't have SELinux in RedHat 9.0, so I wasn't even aware of its
> existence.
Although I have known of its existence for a few years, I have
absolutely no experience with SELinux. It required changes to the
filesystem which I never seem to get time to get around to researching.
But if I had it preconfigured, I'd be reluctant to disable it
permanently.
> You see, Koha usually installs under /usr/local/koha, and with
> appropriate definitions in httpd.conf, all scripts located under that
> path do work as expected. Evidently, SELinux prevented them to be
> executed. Same for any other script - that's why I talked about
> test.pl (I tried to simplify my problem for the scopes of the
> users-httpd list).
There ought to be some log file with all these koha security policy
violations logged which would indicate the cause of the error, and
possibly verify the suspicion that /var/www hierarchy is configured
somewhere.
> I wonder whether a scratch-new installation of Koha under
> /var/www/koha, say, would have been working as well, without having to
> disable SELinux protection.
Try it and see. Try first to enable SELinux, and put test.pl somewhere
like /var/www/something/else/abc/xyz/junk/test.pl, just to see if it
requires a cgi-bin name. Probably not the most productive test, but the
results might provide further insight. If I guessed, I'd say it will
work. But it's about 60/40. ;-)
> In fact, I had similar problems under Mandrake 10.1, and I haven't
> tried yet whether there's any SELinux entry to disable there as well
> ...
>
> Many thanks again, Leif. Now that everything works, there remains to
> understand _why_ it is working. While I browse the Internet for
> SELinux and its interaction with httpd, I would of course welcome any
> advice from you and anyone else on this list.
Well, glad you solved the question of wether Apache misconfiguration was
the culprit. Seems like you have proceeded along a straightforward
troubleshooting process. On to the next step: SELinux research and
experimentation (docs reading, log grepping and config frobbing).
Enjoy!
Leif
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using several cgi-bin directories
Posted by Gi...@ct.infn.it.
Dear Leif,
first of all, thank you very much for your detailed answer, which I
enjoyed reading very much, and was helpful in many respects.
I had already tried all the suggestions you kindly gave to me (in fact,
the test.pl behaved well to several checks - ownerships, interactive
execution from shell, correct headers ... - and indeed it simply _worked_,
provided it was placed in /var/www/cgi-bin (or /var/www/cgi-bin2, with
appropriate entries in httpd.conf).
> correct to me (with the addition of Options ExecCGI), but I would not exclude
> the possibility that something does not seem right to Apache (either with or
> without good reasons which I don't understand at the moment), as evidenced by
> other non-hierarchical ScriptAlias locations apparently working. I have in
That was it.
>From another mailing list (related to the collection of scripts I would
actually like to execute - Koha, an opensource system for library
maintanance, http://www.koha.org) I have just received the answer to my
problem.
I "simply" had to disable the SELinux protection for the httpd daemon.
(Same for the mysqld daemon, but that was not present in my FC3 standard
configuration.)
I didn't have SELinux in RedHat 9.0, so I wasn't even aware of its
existence.
You see, Koha usually installs under /usr/local/koha, and with appropriate
definitions in httpd.conf, all scripts located under that path do work as
expected. Evidently, SELinux prevented them to be executed. Same for any
other script - that's why I talked about test.pl (I tried to simplify my
problem for the scopes of the users-httpd list).
I wonder whether a scratch-new installation of Koha under /var/www/koha,
say, would have been working as well, without having to disable SELinux
protection.
In fact, I had similar problems under Mandrake 10.1, and I haven't tried
yet whether there's any SELinux entry to disable there as well ...
Many thanks again, Leif. Now that everything works, there remains to
understand _why_ it is working. While I browse the Internet for SELinux
and its interaction with httpd, I would of course welcome any advice from
you and anyone else on this list.
Best regards,
Giuseppe.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using several cgi-bin directories
Posted by Leif W <wa...@usa.net>.
> Giuseppe.Angilella@ct.infn.it; 2005 January 07 Friday 12:11
> ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
> ScriptAlias /cgi-bin/koha/ "/usr/local/koha/intranet/cgi-bin/"
You need the assosciated Directory definitions, which I see you have.
Good. However, you have set "Options None". Try to set "Options
ExecCGI". You have every module loaded, and you're probably not
currently using or going to use most of them. The point of modules is
to turn them off if unused by commenting out the LoadModule line and
restarting. Read the manual to find out what you don't need and turn
off one at a time until something squeaks. :p This can simplify
troubleshooting, and at least make Apache start up faster and use less
memory. For instance you have loaded the suexec module but it appears
to be unused (there's no SuexecUserGroup directive). If you get basic
CGI stuff working, you might want to configure suexec. However that can
be tricky the first time, and requires that you know how to get CGI
working in the first place.
> All the steps in the path above are chmod o+x
The suexec modules places further contraints on file location, owner,
group, current user, and permissions.
> The CGI script is a very simple test perl file, which prints out a
> familiar "Hello world!" string.
...
> [error] [client 127.0.0.1] (13)Permission denied: exec of
> '/usr/local/koha/intranet/cgi-bin/test.pl' failed
> [error] [client 127.0.0.1] Premature end of script headers: test.pl
Does the script generate the correct headers? Normally this is
"Content-Type: text/plain\n\n" (two newlines), followed by the content
("Hello World!").
> Something else quite strange, is that everything worked fine on RedHat
> 9.0, running httpd-2.0.40-21.
Perhaps a bug was fixed or introduced in that time between 2.0.40 and
2.0.52, which is a long time indeed! I have not seen the usage of
cgi-bin, where the toplevel cgi-bin is scriptaliased to one location and
sublevel users cgi-bin's refer to other locations. The syntax seems
perfectly valid and correct to me (with the addition of Options
ExecCGI), but I would not exclude the possibility that something does
not seem right to Apache (either with or without good reasons which I
don't understand at the moment), as evidenced by other non-hierarchical
ScriptAlias locations apparently working. I have in some instances had
funky problems with odd custom test scripts that would only run if the
filename began with "nph-" for non-parsed headers. That was a long time
ago so I don't know if things have changed. Wouldn't hurt to "cp -a
test.pl nph-test.pl" and see if anything changes by calling that
instead. Be sure to handle your own response headers as noted above!
Leif
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org