LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
LinkBack Search this Thread
Old 12-21-2005, 07:08 PM   #1
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Rep: Reputation: 15
Couldn't create socket: Permission denied


How can I solve this problem??...I'm testing a cgi proxy sript and this is the message i'm getting from the script. I'm using Fedora 4.
 
Old 12-21-2005, 07:44 PM   #2
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,731
Blog Entries: 4

Rep: Reputation: 64
You must be root to bind to a port < 1024
 
Old 12-21-2005, 08:06 PM   #3
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
thnx for the quick response....

now this is a cgi script running from my web server.....i made it 777 and it is owned by root.....what else can i do??? and the same script is running well from my dedicated server....it is my home server where i have problems.

Last edited by piforever; 12-21-2005 at 08:08 PM.
 
Old 12-21-2005, 08:34 PM   #4
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,731
Blog Entries: 4

Rep: Reputation: 64
If it is running on the webserver, then it will be running as the server's uid, not root...
Best solution is to change the script so it uses a port greater than 1024. You can also make the script suid root, but this is very bad security wise, and I would not recommend it unless the server is not publically accessable, and you can trust your local users.
 
Old 12-22-2005, 06:26 AM   #5
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Thnx

that is weird...i just opened the script and looked in it for the error message hoping i might find a clue....but i could not find the message in the cgi script. so it seems this is related to how perl installed in my server. When I installed the system i picked web server configurations and added extra things.

chmod 4755 cgi_script << Is this how it should be done??? Because i tried it but it did not work, in this case the cgi will not work at all. So I changed it back to 755. The file is root:root

Last edited by piforever; 12-22-2005 at 06:27 AM.
 
Old 12-22-2005, 07:43 AM   #6
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,731
Blog Entries: 4

Rep: Reputation: 64
Quote:
i could not find the message in the cgi script
Yeah, that's because the error is coming from the kernel...

Quote:
chmod 4755 cgi_script
Yeah, that will make it setuid. Same error message?

Not sure what to tell you. You say it's working fine on a different server, cannot you not compare the configuration with the one that works?
 
Old 12-22-2005, 07:57 AM   #7
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by bulliver
Yeah, that's because the error is coming from the kernel...



Yeah, that will make it setuid. Same error message?

Not sure what to tell you. You say it's working fine on a different server, cannot you not compare the configuration with the one that works?
I dont know if it is possible. The other server is controlled by plesk and the system is RH 9. My server at home is Fedora Core 4.

Now when you chmod a cgi script to 4755...are you expecting it to run as any cgi script or not??? because in my case it does not run at all...it should be 755 or 777 to run!!! probably if i can fix this problem and the cgi script executes even if the permission is 4755 this could resolve the problem.

What security problems if it runs in this mode???

and many thnx for the help...i really appreciate that.
 
Old 12-22-2005, 03:27 PM   #8
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,731
Blog Entries: 4

Rep: Reputation: 64
Quote:
Now when you chmod a cgi script to 4755...are you expecting it to run as any cgi script or not??? because in my case it does not run at all...it should be 755 or 777 to run!!! probably if i can fix this problem and the cgi script executes even if the permission is 4755 this could resolve the problem
suid should make the script run as the scripts owner, no matter who runs it, ie: root.

Quote:
What security problems if it runs in this mode???
The fact that it runs as root is a security problem in itself. I don't know what your script does, but if it is exploitable, then the exploiter will have root access to your system! As I mentioned, I heartily recommend _not_ making it suid if your server is available over the internet at large...

You have not given any info on what your cgi script does, but the best solution to your problem is to edit the script and see if you cannot make it use a port greater than 1024. If you can do this, then the socket call does not require root privileges.

As for the script not running when suid, perhaps this is the problem:
Code:
# This `suexec` module provides the ability to exeucte CGI scripts under
# a different user than apache is run.
#
LoadModule suexec_module                 modules/mod_suexec.so
Perhaps you don't have this apache module loaded, in which case the script will not run suid...
 
Old 12-22-2005, 04:20 PM   #9
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Thnx for the explanation....

the script i'm using is basically a cgi proxy i'm sure you know it. http://www.jmarshall.com/tools/cgiproxy/

Is it OK to assume that a vulnerability will occur only if the cgi is not known...like if a user asked me to make his script root. But for a script like the one i'm using where we know everything about it....it will be OK to make it root????
 
Old 12-22-2005, 04:52 PM   #10
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Hi,

Let me start by saying.....ThAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnk yOuuuuuuuuuu for all the explanation....i learned a lot from the discussion with you.

The solution of the problem was by turning off the SELinux protection for httpd daemon!!!!!!

Can you explain what the hell is that thing?!!!! Is it important??? Shall I turn it off for the rest??? I got the idea by looking at stanton-finley tutorial.

Kind Regards,

Last edited by piforever; 12-22-2005 at 04:55 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
can't execute c++ binaries, "permission denied"... even though permission is 777 SerfurJ Programming 14 02-20-2009 04:50 AM
ls: /: Permission denied Phage Linux - General 2 10-16-2005 05:01 PM
Permission denied jagman026 Fedora 3 01-01-2005 03:45 PM
permission denied if I want to create new folder dodo1983 Linux - Newbie 2 08-14-2004 10:46 PM
How to create socket ? karl123 Linux - Hardware 1 05-31-2004 04:50 AM


All times are GMT -5. The time now is 05:00 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration