[SOLVED] Why is apache user's filesystem access restricted?

apomatix · 12-13-2010, 10:23 AM

In CGI scripts, there are certain files that are getting "permission denied" when it seems they should be accessible by the apache user. I am running the default package install of apache under fedora. Here is an example:

The following is /var/www/cgi-bin/test.pl

Code:

#!/usr/bin/perl
use strict;
use CGI;

print CGI->header, CGI->pre;
my $file = "/home/ep/x";

if(open FH, $file)  {
  while(<FH>)  {
    print;
  }
}  else  {
  print "Couldn't open $file: $!";
}

If I run it from the command line,

Code:

sudo -u apache /var/www/cgi-bin/test.pl

it runs fine, but when I open http://localhost/cgi-bin/test.pl I get this error message:

Code:

Couldn't open /home/ep/x: Permission denied

Here are file listings:

Code:

% ls -l /home/
total 4
drwxr-xr-x. 24 ep ep 4096 Dec 13 11:07 ep
% ls -l /home/ep/x
-rw-r--r--. 1 ep ep 447 Dec 13 10:50 /home/ep/x

It seems like apache should be able to open this file. When I set up the same things under ubuntu I have no problem. This is a big problem for me because I can't open my Perl modules from CGI scripts. What am I doing wrong?

Thanks,

Brad

gilead · 12-13-2010, 07:45 PM

If the apache user can access that part of the file system then maybe the server configuration is preventing access. Have you tried setting up a directory entry in the .conf file to allow access to that directory?

apomatix · 12-13-2010, 09:02 PM

Quote:

Originally Posted by gilead

If the apache user can access that part of the file system then maybe the server configuration is preventing access. Have you tried setting up a directory entry in the .conf file to allow access to that directory?

Thank you for the suggestion, gilead.

I tried adding the following to my httpd.conf file, then restarting apache:

Code:

<Directory /home/ep>
    Order allow,deny
    Allow from all
</Directory>

but it doesn't seem to change the result. Is this the kind of directive you had in mind? Does apache still have any say over filesystem access once the CGI program starts?

gilead · 12-13-2010, 09:59 PM

Apache can control access to the filesystem - but I only found limited info on interaction between the Apache process and the running of CGI scripts.

Can you copy the /home/ep/x file to a location that you already know the scripts can see to confirm whether this might be the problem?

apomatix · 12-13-2010, 10:49 PM

Quote:

Originally Posted by gilead

Apache can control access to the filesystem - but I only found limited info on interaction between the Apache process and the running of CGI scripts.

Can you copy the /home/ep/x file to a location that you already know the scripts can see to confirm whether this might be the problem?

Yes I can place the file in /var/www/cgi-bin/x or in /x and it seems to work fine. If I put it in /home/x it gives the "Permission denied" error. Relevant directory listings:

Code:

% ls -l /var/www/cgi-bin/x
-rw-rw-r--. 1 ep ep 80 Dec 13 14:16 /var/www/cgi-bin/x
% ls -l /x
-rw-rw-r--. 1 ep ep 80 Dec 13 14:16 /x
% ls -ld /home
drwxr-xr-x. 3 root root 4096 Dec 13 14:17 /home
% ls -l /home/x
-rw-r--r--. 1 root root 80 Dec 13 14:17 /home/x
% ls -ld /home/ep
drwxr-xr-x. 26 ep ep 4096 Dec 13 14:09 /home/ep
% ls -l /home/ep/x
-rw-rw-r--. 1 ep ep 447 Dec 13 14:09 /home/ep/x

Could /home somehow be toxic to CGI scripts in my configuration? Thanks for your help.

chrism01 · 12-14-2010, 12:00 AM

I'm pretty sure you have to set the ScriptAlias directive or equiv in the conf file. http://httpd.apache.org/docs/2.0/howto/cgi.html

apomatix · 12-14-2010, 10:24 AM

I found the problem: SElinux is running. If I type

Code:

sudo getenforce

it says "Enforcing". If I turn it off with

Code:

sudo setenforce 0

then everything works fine! I guess SElinux is the default for fedora.

Thanks for everyone's help!

unSpawn · 12-14-2010, 10:47 AM

While disabling SELinux at first glance seems to be the perfect solution do ask yourself if any "extra" security should really be disabled on 'net-facing networks, if you're a novice web developer or when running Pretty Horrific Programming (PHP) applications. SELinux has tunable settings ('getsebool -a | grep http') for allowing the web server access to content in /home and more.

apomatix · 12-14-2010, 04:51 PM

Quote:

Originally Posted by unSpawn

While disabling SELinux at first glance seems to be the perfect solution do ask yourself if any "extra" security should really be disabled on 'net-facing networks, if you're a novice web developer or when running Pretty Horrific Programming (PHP) applications. SELinux has tunable settings ('getsebool -a | grep http') for allowing the web server access to content in /home and more.

Thanks for the tips, unSpawn. A better solution would be to release only those resources necessary for my application. Time to read up on SElinux.

unSpawn · 12-15-2010, 04:56 AM

If setroubleshootd and auditd are installed and enabled and you boot into runlevel 5 (GUI) then you should have seen warnings pop up. If you're in a CLI-only environment then you have to check things yourself. Quickest way in the GUI would be to browse events using 'sealert -b', in the CLI you could 'audit2allow -ave > /tmp/a2a.log; less /tmp/a2a.log' and review the explanations. If you have any questions wrt tool output or SELinux in general feel free to create a new thread in this or the Security forum.