You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Chuck Crisler <ch...@comcast.net> on 2009/08/27 03:29:09 UTC
Re: [users@httpd] permission problem (still)
On Fri, 2009-08-21 at 09:37 +0100, Tom Evans wrote:
> If it was owned by user apache, then if the webserver were exploitable,
> the attacker would be able to deface your website. If it is just
> readable by apache, then they would need to exploit apache and then find
> a local privilege escalation to do so.
Thank you for pointing out what should have been obvious.
>
When I try to execute scripts from my cgi-bin directory, I am blocked by
a permission problem. In FireFox, I am using
http://localhost/cgi-bin/env.pl as the address line.
My cgi-bin directory (/var/www/cgi-bin) is owned by root with these
permissions drwxr-xr-x. This is from my httpd.conf
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
AllowOverride None
Options Indexes FollowSymLinks ExecCGI Includes
Order deny,allow
Allow from all
</Directory>
However, when I try to execute any script from that directory, I get
this error.
[Wed Aug 26 21:21:05 2009] [error] [client 127.0.0.1] (13)Permission
denied: access to /cgi-bin/env.pl denied
BTW: my serverroot is defined as:
ServerRoot "/etc/httpd"
My document root is defined as:
DocumentRoot "/var/www/html"
The Perl files in the cgi-bin directory are owned by root with these
permissions: rwxr-xr-x. I also tried to create a cgi-bin directory under
my home directory (making all of the changes needed in httpd.conf), I
set the permissions correctly (I think)
> They don't have to be owned by root, they just need to be readable by
> apache and correctly configured. Your doc root, and all the files under
> there, can be owned by your local user. You only need root privileges to
> start/stop apache.
What about cgi-bin? It is parallel to doc-root.
All help is greatly appreciated!
Chuck
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] permission problem (still)
Posted by Chuck Crisler <ch...@comcast.net>.
On Thu, 2009-08-27 at 12:13 +0200, André Warnier wrote:
> Chuck Crisler wrote:
> > On Fri, 2009-08-21 at 09:37 +0100, Tom Evans wrote:
> >
> >
> > My cgi-bin directory (/var/www/cgi-bin) is owned by root with these
> > permissions drwxr-xr-x. This is from my httpd.conf
> >
> Hi.
> On my Linux (Debian) systems, the cgi-bin directories - and the scripts
> in it - have a owner "root", but a group "www-data", and are executable
> by this group "www-data".
On Fedora, the user/group is apache/apache. The directories and files
are owned by root/root. My directories and files are all rwxr-xr-x. At
least, the ones that I have looked at. That should mean that everyone
can execute the scripts in my cgi-bin directory. My httpd.conf file also
specifies allow all in the cgi-bin directory directives. Once I get it
working I will change that to be more restrictive.
I suspect that somehow I am specifying the directory wrong and it isn't
using the right cgi-bin directory. The permissions are correct and it
should work if it was using the intended directory. I created a cgi-bin
directory under my home directory and changed the httpd.conf file
appropriately (I think) and that didn't make a difference. Yes, I made
sure that the directory and file permissions were correct. I stop and
then start apache when I modify the httpd.conf file rather than simply
re-start. I do this from the services app.
I have Mason installed and the Perl scripts are routed through it. I
wonder if that could be causing a problem? I have tried commenting out
the Mason portions of the httpd.conf file and that didn't make any
difference. Is there a way to see the entire directory name in the error
log?
Chuck
>
> Apache starts up as root (which allows it to open a listening port 80),
> but then (in a prefork config at least), the children runs as
> www-data/www-data.
> (See the User and Group directives in your conf file).
> I presume that cgi-bins must be executable by the user/group the Apache
> children run as.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] permission problem (still)
Posted by André Warnier <aw...@ice-sa.com>.
Chuck Crisler wrote:
> On Fri, 2009-08-21 at 09:37 +0100, Tom Evans wrote:
>
>
> My cgi-bin directory (/var/www/cgi-bin) is owned by root with these
> permissions drwxr-xr-x. This is from my httpd.conf
>
Hi.
On my Linux (Debian) systems, the cgi-bin directories - and the scripts
in it - have a owner "root", but a group "www-data", and are executable
by this group "www-data".
Apache starts up as root (which allows it to open a listening port 80),
but then (in a prefork config at least), the children runs as
www-data/www-data.
(See the User and Group directives in your conf file).
I presume that cgi-bins must be executable by the user/group the Apache
children run as.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org