You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Igor Cicimov <ic...@gmail.com> on 2020/02/04 02:11:38 UTC

Re: [users@httpd] ExecCGI ignored within nfs share

Should have said "exported" with noexec instead of mounted to make it more
clear. Then it doesn't matter what you do on the client side you will still
not be able to run exe files.

Since this is not the case maybe the perms of the directories on that path
have no exe permissions them self?

IC

On Fri, Jan 31, 2020, 10:46 PM Michele Mase' <mi...@gmail.com> wrote:

> From fstab:
> 10.10.10.10:/vol/shared /shared nfs defaults,exec,tcp,vers=3,intr,_netdev
> 0 0
> From /proc/mounts
> 10.10.10.10:/vol/shared /shared nfs
> rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.10.10.10,mountvers=3,mountport=635,mountproto=tcp,local_lock=none,addr=10.10.10.10
> 0 0
> The apache process user can execute scripts under nfs share:
> su - www-data -s /bin/bash -c "/shared/www_root/cgi2/test.sh" #working
>
>
> On Thu, Jan 30, 2020 at 8:57 PM Igor Cicimov <ic...@gmail.com> wrote:
>
>> On Wed, Jan 29, 2020, 11:35 PM Michele Mase' <mi...@gmail.com>
>> wrote:
>>
>>> I'm trying to execute some gci scripts under a certain directory stored
>>> under an nfs share without any success; the same configuration is working
>>> outside nfs share (i.e. under local filesystem).
>>> What am I missing?
>>> Regards
>>> Michele Masè
>>>
>>> Local Working: curl https://www.example.com/cgi2/
>>>
>>> Alias /cgi2/ /var/www/html.default/cgi2/
>>> <Directory "/var/www/html.default/cgi2">
>>> AddHandler cgi-script .cgi .pl .sh
>>> DirectoryIndex index.cgi index.html
>>> Options +ExecCGI
>>> </Directory>
>>>
>>>
>>> NFS Not Working:
>>> Alias /cgi2/ /shared/www_root/cgi2/
>>> <Directory "/shared/www_root/cgi2/">
>>> AddHandler cgi-script .cgi .pl .sh
>>> DirectoryIndex index.cgi index.html
>>> Options +ExecCGI
>>> </Directory>
>>>
>>> Error_Log:
>>> AH01262: Options ExecCGI is off in this directory:
>>> /shared/www_root/cgi2/index.cgi
>>>
>>> index.cgi script
>>>
>>> #!/usr/bin/perl
>>>
>>> print "Content-type: text/html\n\n";
>>> print "<html>\n<body>\n";
>>> print "<div style=\"width: 100%; font-size: 40px; font-weight: bold;
>>> text-align: center;\">\n";
>>> print "CGI Test Page";
>>> print "\n</div>\n";
>>> print "</body>\n</html>\n";
>>>
>>> apache2.4.x ubuntu18.04 libapache2-mod-apparmor not installed
>>>
>>> aa-status --verbose
>>> apparmor module is loaded.
>>> 8 profiles are loaded.
>>> 8 profiles are in enforce mode.
>>>    /sbin/dhclient
>>>    /usr/bin/man
>>>    /usr/lib/NetworkManager/nm-dhcp-client.action
>>>    /usr/lib/NetworkManager/nm-dhcp-helper
>>>    /usr/lib/connman/scripts/dhclient-script
>>>    /usr/sbin/tcpdump
>>>    man_filter
>>>    man_groff
>>> 0 profiles are in complain mode.
>>> 0 processes have profiles defined.
>>> 0 processes are in enforce mode.
>>> 0 processes are in complain mode.
>>> 0 processes are unconfined but have a profile defined.
>>>
>>> /proc/mounts
>>> 10.10.10.10:/vol/shared /shared nfs
>>> rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.10.10.10,mountvers=3,mountport=635,mountproto=tcp,local_lock=none,addr=10.10.10.10
>>> 0 0
>>>
>>> su - www-data -s /bin/bash -c "/bin/cat /shared/www_root/cgi2/index.cgi"
>>> #working
>>> --
>>> Michele Masè
>>>
>>
>> Usually NFS shares are being mounted without exec permissions for
>> security, you need to make sure that is not the case.
>>
>>>
>
> --
> Michele Masè
>

Re: [users@httpd] ExecCGI ignored within nfs share

Posted by Michele Mase' <mi...@gmail.com>.

The directory perms are ok (directory 0755, files 0705); you can see the
content of the script but not execute it.

On Tue, Feb 4, 2020 at 2:12 AM Igor Cicimov <ic...@gmail.com> wrote:

> Should have said "exported" with noexec instead of mounted to make it more
> clear. Then it doesn't matter what you do on the client side you will still
> not be able to run exe files.
>
> Since this is not the case maybe the perms of the directories on that path
> have no exe permissions them self?
>
> IC
>
> On Fri, Jan 31, 2020, 10:46 PM Michele Mase' <mi...@gmail.com>
> wrote:
>
>> From fstab:
>> 10.10.10.10:/vol/shared /shared nfs
>> defaults,exec,tcp,vers=3,intr,_netdev 0 0
>> From /proc/mounts
>> 10.10.10.10:/vol/shared /shared nfs
>> rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.10.10.10,mountvers=3,mountport=635,mountproto=tcp,local_lock=none,addr=10.10.10.10
>> 0 0
>> The apache process user can execute scripts under nfs share:
>> su - www-data -s /bin/bash -c "/shared/www_root/cgi2/test.sh" #working
>>
>>
>> On Thu, Jan 30, 2020 at 8:57 PM Igor Cicimov <ic...@gmail.com> wrote:
>>
>>> On Wed, Jan 29, 2020, 11:35 PM Michele Mase' <mi...@gmail.com>
>>> wrote:
>>>
>>>> I'm trying to execute some gci scripts under a certain directory stored
>>>> under an nfs share without any success; the same configuration is working
>>>> outside nfs share (i.e. under local filesystem).
>>>> What am I missing?
>>>> Regards
>>>> Michele Masè
>>>>
>>>> Local Working: curl https://www.example.com/cgi2/
>>>>
>>>> Alias /cgi2/ /var/www/html.default/cgi2/
>>>> <Directory "/var/www/html.default/cgi2">
>>>> AddHandler cgi-script .cgi .pl .sh
>>>> DirectoryIndex index.cgi index.html
>>>> Options +ExecCGI
>>>> </Directory>
>>>>
>>>>
>>>> NFS Not Working:
>>>> Alias /cgi2/ /shared/www_root/cgi2/
>>>> <Directory "/shared/www_root/cgi2/">
>>>> AddHandler cgi-script .cgi .pl .sh
>>>> DirectoryIndex index.cgi index.html
>>>> Options +ExecCGI
>>>> </Directory>
>>>>
>>>> Error_Log:
>>>> AH01262: Options ExecCGI is off in this directory:
>>>> /shared/www_root/cgi2/index.cgi
>>>>
>>>> index.cgi script
>>>>
>>>> #!/usr/bin/perl
>>>>
>>>> print "Content-type: text/html\n\n";
>>>> print "<html>\n<body>\n";
>>>> print "<div style=\"width: 100%; font-size: 40px; font-weight: bold;
>>>> text-align: center;\">\n";
>>>> print "CGI Test Page";
>>>> print "\n</div>\n";
>>>> print "</body>\n</html>\n";
>>>>
>>>> apache2.4.x ubuntu18.04 libapache2-mod-apparmor not installed
>>>>
>>>> aa-status --verbose
>>>> apparmor module is loaded.
>>>> 8 profiles are loaded.
>>>> 8 profiles are in enforce mode.
>>>>    /sbin/dhclient
>>>>    /usr/bin/man
>>>>    /usr/lib/NetworkManager/nm-dhcp-client.action
>>>>    /usr/lib/NetworkManager/nm-dhcp-helper
>>>>    /usr/lib/connman/scripts/dhclient-script
>>>>    /usr/sbin/tcpdump
>>>>    man_filter
>>>>    man_groff
>>>> 0 profiles are in complain mode.
>>>> 0 processes have profiles defined.
>>>> 0 processes are in enforce mode.
>>>> 0 processes are in complain mode.
>>>> 0 processes are unconfined but have a profile defined.
>>>>
>>>> /proc/mounts
>>>> 10.10.10.10:/vol/shared /shared nfs
>>>> rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.10.10.10,mountvers=3,mountport=635,mountproto=tcp,local_lock=none,addr=10.10.10.10
>>>> 0 0
>>>>
>>>> su - www-data -s /bin/bash -c "/bin/cat
>>>> /shared/www_root/cgi2/index.cgi" #working
>>>> --
>>>> Michele Masè
>>>>
>>>
>>> Usually NFS shares are being mounted without exec permissions for
>>> security, you need to make sure that is not the case.
>>>
>>>>
>>
>> --
>> Michele Masè
>>
>

-- 
Michele Masè