Permissions of web server folders(cgi-bin, var/www/html)
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Permissions of web server folders(cgi-bin, var/www/html)
I am trying to setup a linux web server but am a little confused about the permissions I should set for the folders associated with the web server.
Currently, I have my /var/www/html folder set to root access as well as my /cgi-bin/ folder. I read something about setting the /cgi-bin/ folder to user nobody. Can someone explain what permissions I should set these folders too, and what setting nobody does? Thanks/!
You should set the owner and group for these directories and files to the user and group for the web-server process. So, if your server starts the Apache httpd server process as user nobody, then your web files should have the same ownership. My Apache server is started by user "apache", so my files are owned by apache - not nobody and not root. I also implement SE-Linux to enhance security on my publicly accessible web server.
Are you sure it is running as root? I'm fairly sure the default settings in F8 would have the apache user running Apache, not root. Check using "ps -ef | grep http" from the command line, and hopefully all processes will be owned by apache.
If not, then you need to explain to us how you start Apache and perhaps how you installed it.
Last edited by blacky_5251; 05-13-2008 at 01:33 AM.
But the thing that I don't understand is that all my directories in /var/www are all still root privelege. Should I change the permissions to user=Apache, Group=apache? Should those directories be Apache user/group by default??
So I guess I showed I'm a newbie in my last post. I figured my own question out. I should keep the permissions at root the same. The user apache will run as other user in this case.
My other question though, is that I am running a CGI script in /cgi-bin/script.cgi, and want to write to a crontab file in /home/jma/Documents/cron-tab. I can't seem to write to that file though. My permission for script.cgi is 755 and my permissions for cron-tab is 777. Can anyone tell me what I'm doing wrong. The cgi script(script.cgi) is just.....
print "Content-type: text/html\n\n";
print OUT "blah\n";
User 'apache' has certainly no permissions to write to location '/home/jma/Documents/cron-tab', unless user 'jma' belongs to group apache or has all it's files and directories set to be owned by apache.
It is also not clear what you expect from a crontab file written that way. Based on the filename maybe you expect it to provide some 'cron' action. I would suggest you read the man pages for cron.
I basically have a webpage that takes input from the user. I want to process the output of that html form and do a specific action with perl script. The perl script will take arguments from what the user specified in the html form and would run in cron. I can't seem to write any of the data to a .txt file much less cron file. I created a new user/group called Niners and created a .txt file in /home/Niners/niners.txt. I edited the /etc/httpd/conf/http.conf file to have User=Niners, Group=Niners. Restarted and started the server. Yet I still can't write to the txt file in the Niners home directory. Keep getting a permission denied error message. What am I doing wrong?
There certainly are. SELinux will protect your server if the httpd service is compromised by preventing the hacked httpd service from accessing anything that it would not normally have access to - like user's home directories. For example, it will prevent httpd from gaining root user status using buffer exploits.
Perhaps you could record your output in /var/log/httpd rather than /home? The apache process has access to this directory under the SELinux policy.
It is always easy to find reasons to turn SELinux off, which is what you've done by setting it to permissive mode (it is now only reporting the things it would have prevented). A better challenge for you is to learn to work within the security parameters imposed by SELinux
Last edited by blacky_5251; 05-13-2008 at 10:10 PM.
The log directory is accessible only in the httpd logging context, which you aren't working in. Perhaps create a directory under /var/www that you can then write to from the httpd process.
Other useful SELinux commands are:-
Used to show all SELinux boolean variables. Use commands like this to look for http and cgi boolean variables and their current values:-
getsebool -a | grep cgi
getsebool -a | grep http
Use this to set a boolean value. The -P is required if you want to make the change persistent across reboots.
Toggles a boolean value
Also, use the SELinux Trouble Shooter on your GUI desktop. Double click the Sheriff star at the top-right of your screen and you'll see the SELinux error log, and in most cases, suggestions about how to resolve the problems - e.g. booleans that could be changed to allow the blocked behaviour.
Last edited by blacky_5251; 05-14-2008 at 12:19 AM.
I finally got it to work with my home directory and SE Linux enabled. I had to change the context of my home directory...Like what Blacky said it seems that Se Linux will only allow Apache to run on directories that have the httpd context. I could have either found a directory that had that context or change the context of another directory to enable me to write to a file in that directory.
Here are the commands that I used.
chcon -r httpd_sys_content_t/home/jma(changes my home directory to have httpd context so that I can have an apache process can run in this directory)
chmod 775 /home/jma
Thanks for everyone's help. I understand Linux permissions much better then when I first started.