Permissions of web server folders(cgi-bin, var/www/html)
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Permissions of web server folders(cgi-bin, var/www/html)
I am trying to setup a linux web server but am a little confused about the permissions I should set for the folders associated with the web server.
Currently, I have my /var/www/html folder set to root access as well as my /cgi-bin/ folder. I read something about setting the /cgi-bin/ folder to user nobody. Can someone explain what permissions I should set these folders too, and what setting nobody does? Thanks/!
You should set the owner and group for these directories and files to the user and group for the web-server process. So, if your server starts the Apache httpd server process as user nobody, then your web files should have the same ownership. My Apache server is started by user "apache", so my files are owned by apache - not nobody and not root. I also implement SE-Linux to enhance security on my publicly accessible web server.
Are you sure it is running as root? I'm fairly sure the default settings in F8 would have the apache user running Apache, not root. Check using "ps -ef | grep http" from the command line, and hopefully all processes will be owned by apache.
If not, then you need to explain to us how you start Apache and perhaps how you installed it.
Last edited by blacky_5251; 05-13-2008 at 12:33 AM.
I started apache by issuing the command...
/sbin/service httpd start
You are right, the default user and group is Apache. I looked at my httpd.conf file and it is inded Apache as user/group. This is what the output looks like after I do a ps -ef | grep http.....
But the thing that I don't understand is that all my directories in /var/www are all still root privelege. Should I change the permissions to user=Apache, Group=apache? Should those directories be Apache user/group by default??
So I guess I showed I'm a newbie in my last post. I figured my own question out. I should keep the permissions at root the same. The user apache will run as other user in this case.
My other question though, is that I am running a CGI script in /cgi-bin/script.cgi, and want to write to a crontab file in /home/jma/Documents/cron-tab. I can't seem to write to that file though. My permission for script.cgi is 755 and my permissions for cron-tab is 777. Can anyone tell me what I'm doing wrong. The cgi script(script.cgi) is just.....
#!/usr/bin/perl
use CGI;
print "Content-type: text/html\n\n";
open(OUT, ">>/home/jma/Documents/cron-tab");
print OUT "blah\n";
User 'apache' has certainly no permissions to write to location '/home/jma/Documents/cron-tab', unless user 'jma' belongs to group apache or has all it's files and directories set to be owned by apache.
It is also not clear what you expect from a crontab file written that way. Based on the filename maybe you expect it to provide some 'cron' action. I would suggest you read the man pages for cron.
I basically have a webpage that takes input from the user. I want to process the output of that html form and do a specific action with perl script. The perl script will take arguments from what the user specified in the html form and would run in cron. I can't seem to write any of the data to a .txt file much less cron file. I created a new user/group called Niners and created a .txt file in /home/Niners/niners.txt. I edited the /etc/httpd/conf/http.conf file to have User=Niners, Group=Niners. Restarted and started the server. Yet I still can't write to the txt file in the Niners home directory. Keep getting a permission denied error message. What am I doing wrong?
The Niners home dir needs to be in the apache group.
In many systems, the apache software runs as the user/group nobody, instead of apache/apache.
Its distro specific I believe.
I found out the problem. It seems like since I had set SELinux set to enabled. When I turned it to Permissive it seemed to work. Are there any security ramifications in doing this?
There certainly are. SELinux will protect your server if the httpd service is compromised by preventing the hacked httpd service from accessing anything that it would not normally have access to - like user's home directories. For example, it will prevent httpd from gaining root user status using buffer exploits.
Perhaps you could record your output in /var/log/httpd rather than /home? The apache process has access to this directory under the SELinux policy.
It is always easy to find reasons to turn SELinux off, which is what you've done by setting it to permissive mode (it is now only reporting the things it would have prevented). A better challenge for you is to learn to work within the security parameters imposed by SELinux
Last edited by blacky_5251; 05-13-2008 at 09:10 PM.
Hmm...I tried to write to /var/log/httpd with SELinux enabled yet I still get a permission denied message. Is there another folder that apache process has access to. I am using Fedora 8.
Sorry, I led you up the garden path with /var/log/httpd
What you need to do is find a directory that has a context of httpd_sys_content_t. The -Z option for the "ls" command shows SELinux context information about files and directories. For example:-
The log directory is accessible only in the httpd logging context, which you aren't working in. Perhaps create a directory under /var/www that you can then write to from the httpd process.
Other useful SELinux commands are:-
getsebool -a
Used to show all SELinux boolean variables. Use commands like this to look for http and cgi boolean variables and their current values:-
Code:
getsebool -a | grep cgi
getsebool -a | grep http
setsebool -P
Use this to set a boolean value. The -P is required if you want to make the change persistent across reboots.
togglesebool
Toggles a boolean value
Also, use the SELinux Trouble Shooter on your GUI desktop. Double click the Sheriff star at the top-right of your screen and you'll see the SELinux error log, and in most cases, suggestions about how to resolve the problems - e.g. booleans that could be changed to allow the blocked behaviour.
Last edited by blacky_5251; 05-13-2008 at 11:19 PM.
I finally got it to work with my home directory and SE Linux enabled. I had to change the context of my home directory...Like what Blacky said it seems that Se Linux will only allow Apache to run on directories that have the httpd context. I could have either found a directory that had that context or change the context of another directory to enable me to write to a file in that directory.
Here are the commands that I used.
chcon -r httpd_sys_content_t/home/jma(changes my home directory to have httpd context so that I can have an apache process can run in this directory)
chmod 775 /home/jma
Thanks for everyone's help. I understand Linux permissions much better then when I first started.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.