You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Bennett Haselton <be...@peacefire.org> on 2008/02/11 23:19:43 UTC
Re: [users@httpd] how to enable CGI scripts to read
/var/log/httpd/access_log ?
At 02:14 PM 2/11/2008 -0500, Joshua Slive wrote:
>On Feb 11, 2008 1:38 PM, Bennett Haselton <be...@peacefire.org> wrote:
> > I am trying to run a CGI script that can open /var/log/httpd/access_log
> for
> > reading and parse some data from it. (This is on a dedicated machine.)
> >
> > The file /var/log/httpd/access_log is owned by root, but that's not the
> > problem. I have other files owned by root that are in the
> /var/www/html
> > directory and CGI scripts can read those with no problem (because they
> are
> > world-*readable*, just like /var/log/httpd/access_log is). The problem
> is
> > that apparently CGI scripts cannot open any files for reading that are
> > located outside of /var/www .
>
>There is no setting in the default apache install that could impose
>that restriction. Are you running SELinux perhaps?
Well I'm running the CentOS 4.4 distro, but according to
http://en.wikipedia.org/wiki/Selinux , SELinux is not actually a distro, so
not mutually exclusive with CentOS. So could this machine be running
SELinux? How do I tell? The hosting company set it up for me.
>Have you tried
>"setenforce 0" to see if the issue goes away?
Well, damn. I do believe that fixed it. Thanks!
>In general, the most secure way to deal with tasks that are beyond the
>permissions of your apache child processes is to use "sudo". But I bet
>your problem is an OS configuration issue. If the file is
>world-readable, your cgi scripts should be able to read it.
My CGI scripts can read world-readable files when those files are under
/var/www, just not when the world-readable files are located anywhere else.
-Bennett
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] how to enable CGI scripts to read /var/log/httpd/access_log ?
Posted by Krist van Besien <kr...@gmail.com>.
On Feb 12, 2008 12:51 AM, Bennett Haselton <be...@peacefire.org> wrote:
> At 04:02 PM 2/11/2008 -0700, Doug McNutt wrote:
> >At 14:19 -0800 2/11/08, Bennett Haselton wrote:
> > >My CGI scripts can read world-readable files when those files are under
> > /var/www, just not when the world-readable files are located anywhere else.
> >
> >That could be because some intermediate directory(s) don't have the
> >necessary x and r permissions for world. (And you might not like that.)
>
> Uhh... Yep. That was it.
>
> [root@sls-ce3p12 ~]# ls -ld /var/log/httpd
> drwx------ 2 root root 4096 Feb 10 05:53 /var/log/httpd
>
> Changing that to 755 made it possible for the CGI script to read the
> access_log file. Thanks!
>
> Don't know why I didn't think to check that. I guess I was thinking in
> terms of Windows where (I think) permissions on individual directories are
> not inherited to sub-directories.
This is not a matter of permission inheritance, which Unix doesn't
really have. If the process attempting to open the file doesn't have
the permission to read the directory it can't find out what it's inode
is, and thus can't read the file.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] how to enable CGI scripts to read
/var/log/httpd/access_log ?
Posted by Bennett Haselton <be...@peacefire.org>.
At 04:02 PM 2/11/2008 -0700, Doug McNutt wrote:
>At 14:19 -0800 2/11/08, Bennett Haselton wrote:
> >My CGI scripts can read world-readable files when those files are under
> /var/www, just not when the world-readable files are located anywhere else.
>
>That could be because some intermediate directory(s) don't have the
>necessary x and r permissions for world. (And you might not like that.)
Uhh... Yep. That was it.
[root@sls-ce3p12 ~]# ls -ld /var/log/httpd
drwx------ 2 root root 4096 Feb 10 05:53 /var/log/httpd
Changing that to 755 made it possible for the CGI script to read the
access_log file. Thanks!
Don't know why I didn't think to check that. I guess I was thinking in
terms of Windows where (I think) permissions on individual directories are
not inherited to sub-directories.
-Bennett
bennett@peacefire.org http://www.peacefire.org
(425) 497 9002
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] how to enable CGI scripts to read /var/log/httpd/access_log ?
Posted by Doug McNutt <do...@macnauchtan.com>.
At 14:19 -0800 2/11/08, Bennett Haselton wrote:
>My CGI scripts can read world-readable files when those files are under /var/www, just not when the world-readable files are located anywhere else.
That could be because some intermediate directory(s) don't have the necessary x and r permissions for world. (And you might not like that.)
--
--> From the U S of A, the only socialist country that refuses to admit it. <--
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org