You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Chuck Crisler <ch...@comcast.net> on 2009/08/21 04:02:50 UTC
[users@httpd] permission problem
I seem to have a permission problem with apache. I am running FC9 and
apache 2.2.11, mod_perl 2.0.4 and perl/V5.10.0. I am trying to work with
apache/perl/mason/mySQL but continually encounter permission failures.
Apache runs under user/group apache/apache (specified in the httpd.conf
file and verified using the ps command). The document root
is /var/www/html, which is owned by root (I don't understand this, I
would think it would be apache/apache). My cgi-bin directory
(/var/www/cgi-bin) was owned by root/root at first. I entered the env.pl
script from example 1-5, pg 10 in the Practical mod-perl book. I saved
the file to /var/www/cgi-bin, changed owner to apache, chmod 700,
re-started apache and tried to access http://localhost/cgi-bin/env.pl
and failed with a permission error. I changed the cgi-bin directory to
apache/apache (user/group) and the env.pl script also. I re-started
apache. It still fails with a permission error. I suspect that if I
changed the env.pl file to root/root then it would work, but I don't
want to do that. I have had several other errors similar to this that I
have worked around, but would really like to understand this permission
thing and get it fixed once and for all.
My system does have a user apache/apache, but there isn't a home
directory.
How do most people configure a development server? I try to avoid using
the root login for security reasons. However, all of the apache files
are owned by root, so I maintain private versions of them and use sudo
to copy changes back to the appropriate directory. I haven't figured out
how to handle perl scripts that I enter.
All help is greatly appreciated.
Chuck Crisler
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] permission problem (still)
Posted by Chuck Crisler <ch...@comcast.net>.
On Thu, 2009-08-27 at 12:13 +0200, André Warnier wrote:
> Chuck Crisler wrote:
> > On Fri, 2009-08-21 at 09:37 +0100, Tom Evans wrote:
> >
> >
> > My cgi-bin directory (/var/www/cgi-bin) is owned by root with these
> > permissions drwxr-xr-x. This is from my httpd.conf
> >
> Hi.
> On my Linux (Debian) systems, the cgi-bin directories - and the scripts
> in it - have a owner "root", but a group "www-data", and are executable
> by this group "www-data".
On Fedora, the user/group is apache/apache. The directories and files
are owned by root/root. My directories and files are all rwxr-xr-x. At
least, the ones that I have looked at. That should mean that everyone
can execute the scripts in my cgi-bin directory. My httpd.conf file also
specifies allow all in the cgi-bin directory directives. Once I get it
working I will change that to be more restrictive.
I suspect that somehow I am specifying the directory wrong and it isn't
using the right cgi-bin directory. The permissions are correct and it
should work if it was using the intended directory. I created a cgi-bin
directory under my home directory and changed the httpd.conf file
appropriately (I think) and that didn't make a difference. Yes, I made
sure that the directory and file permissions were correct. I stop and
then start apache when I modify the httpd.conf file rather than simply
re-start. I do this from the services app.
I have Mason installed and the Perl scripts are routed through it. I
wonder if that could be causing a problem? I have tried commenting out
the Mason portions of the httpd.conf file and that didn't make any
difference. Is there a way to see the entire directory name in the error
log?
Chuck
>
> Apache starts up as root (which allows it to open a listening port 80),
> but then (in a prefork config at least), the children runs as
> www-data/www-data.
> (See the User and Group directives in your conf file).
> I presume that cgi-bins must be executable by the user/group the Apache
> children run as.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] permission problem (still)
Posted by André Warnier <aw...@ice-sa.com>.
Chuck Crisler wrote:
> On Fri, 2009-08-21 at 09:37 +0100, Tom Evans wrote:
>
>
> My cgi-bin directory (/var/www/cgi-bin) is owned by root with these
> permissions drwxr-xr-x. This is from my httpd.conf
>
Hi.
On my Linux (Debian) systems, the cgi-bin directories - and the scripts
in it - have a owner "root", but a group "www-data", and are executable
by this group "www-data".
Apache starts up as root (which allows it to open a listening port 80),
but then (in a prefork config at least), the children runs as
www-data/www-data.
(See the User and Group directives in your conf file).
I presume that cgi-bins must be executable by the user/group the Apache
children run as.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] permission problem (still)
Posted by Chuck Crisler <ch...@comcast.net>.
On Fri, 2009-08-21 at 09:37 +0100, Tom Evans wrote:
> If it was owned by user apache, then if the webserver were exploitable,
> the attacker would be able to deface your website. If it is just
> readable by apache, then they would need to exploit apache and then find
> a local privilege escalation to do so.
Thank you for pointing out what should have been obvious.
>
When I try to execute scripts from my cgi-bin directory, I am blocked by
a permission problem. In FireFox, I am using
http://localhost/cgi-bin/env.pl as the address line.
My cgi-bin directory (/var/www/cgi-bin) is owned by root with these
permissions drwxr-xr-x. This is from my httpd.conf
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
AllowOverride None
Options Indexes FollowSymLinks ExecCGI Includes
Order deny,allow
Allow from all
</Directory>
However, when I try to execute any script from that directory, I get
this error.
[Wed Aug 26 21:21:05 2009] [error] [client 127.0.0.1] (13)Permission
denied: access to /cgi-bin/env.pl denied
BTW: my serverroot is defined as:
ServerRoot "/etc/httpd"
My document root is defined as:
DocumentRoot "/var/www/html"
The Perl files in the cgi-bin directory are owned by root with these
permissions: rwxr-xr-x. I also tried to create a cgi-bin directory under
my home directory (making all of the changes needed in httpd.conf), I
set the permissions correctly (I think)
> They don't have to be owned by root, they just need to be readable by
> apache and correctly configured. Your doc root, and all the files under
> there, can be owned by your local user. You only need root privileges to
> start/stop apache.
What about cgi-bin? It is parallel to doc-root.
All help is greatly appreciated!
Chuck
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] permission problem
Posted by Tom Evans <te...@googlemail.com>.
On Thu, 2009-08-20 at 22:02 -0400, Chuck Crisler wrote:
> I seem to have a permission problem with apache. I am running FC9 and
> apache 2.2.11, mod_perl 2.0.4 and perl/V5.10.0. I am trying to work with
> apache/perl/mason/mySQL but continually encounter permission failures.
> Apache runs under user/group apache/apache (specified in the httpd.conf
> file and verified using the ps command). The document root
> is /var/www/html, which is owned by root (I don't understand this, I
> would think it would be apache/apache).
If it was owned by user apache, then if the webserver were exploitable,
the attacker would be able to deface your website. If it is just
readable by apache, then they would need to exploit apache and then find
a local privilege escalation to do so.
> My cgi-bin directory
> (/var/www/cgi-bin) was owned by root/root at first. I entered the env.pl
> script from example 1-5, pg 10 in the Practical mod-perl book. I saved
> the file to /var/www/cgi-bin, changed owner to apache, chmod 700,
> re-started apache and tried to access http://localhost/cgi-bin/env.pl
> and failed with a permission error.
And what did the error log say about this error?
> I changed the cgi-bin directory to
> apache/apache (user/group) and the env.pl script also. I re-started
> apache. It still fails with a permission error. I suspect that if I
> changed the env.pl file to root/root then it would work, but I don't
> want to do that. I have had several other errors similar to this that I
> have worked around, but would really like to understand this permission
> thing and get it fixed once and for all.
You need to see why it failed. Look at your error log.
>
> My system does have a user apache/apache, but there isn't a home
> directory.
>
> How do most people configure a development server? I try to avoid using
> the root login for security reasons. However, all of the apache files
> are owned by root, so I maintain private versions of them and use sudo
> to copy changes back to the appropriate directory. I haven't figured out
> how to handle perl scripts that I enter.
>
> All help is greatly appreciated.
>
> Chuck Crisler
>
They don't have to be owned by root, they just need to be readable by
apache and correctly configured. Your doc root, and all the files under
there, can be owned by your local user. You only need root privileges to
start/stop apache.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org