PDA

View Full Version : CGI on C++ under Apache


[ai]
4th February 2005, 02:52 PM
Hello everyone!
I try to develop CGI programs (with C++) in FC3 and i faced such problem. I cannot gain access to file system from it. I try to make a simple program which only calls fopen() to read or write a file that has 777 access mode and is located in directory with the same mode. If I start my program from terminal it works perfect. But when I start it from a browser (localhost/cgi-bin/temp.cgi) it just doesn't work. fopen returns NULL and strerror(errno) returns "Permission denied". I even tried SUID bit with root user. I logged in as "apache" user (that wasn't easy) and ensured that apache process itself has no problems with access. So now I have no ideas what is wrong. Do you?

macemoneta
4th February 2005, 07:38 PM
Does /var/log/messages show any avc denied messages when you try it from a browser?

grep -i denied /var/log/messages

[ai]
5th February 2005, 06:07 AM
Oh, yes, it shows:

Feb 5 08:27:33 Inkin kernel: audit(1107592053.784:0): avc: denied { read } for pid=3944 exe=/var/www/html/temp.cgi name=file.txt dev=hda2 ino=1277 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:root_t tclass=file

And the same but with "{ write }" when I try to write to file. This text doesn't depend on program owner, text file owner or suid bit. When access is actualy impossible (000 mode) it adds two lines there:

Feb 5 08:56:27 Inkin kernel: audit(1107593787.920:0): avc: denied { dac_override } for pid=4849 exe=/var/www/html/temp.cgi capability=1 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=capability
Feb 5 08:56:27 Inkin kernel: audit(1107593787.920:0): avc: denied { dac_read_search } for pid=4849 exe=/var/www/html/temp.cgi capability=2 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=capability

And the same when I try to read. So in case of "777" access is physicaly possible but blocked by something. Is it a misconfiguration in httpd.conf? I haven't modified it except adding ExecCGI to DocumentRoot and uncommenting one line for CGI executing.

macemoneta
5th February 2005, 01:56 PM
The "problem" is that SELinux is preventing what it considers to be violations of security.

1. Your CGI script is not in the /var/www/cgi-bin directory.
2. Your file contexts are incorrect. For files that are to be readable by the web server, issue the command:

chcon -t httpd_sys_content_t someFile

3. Don't set world write/execute permissions on files in the web server directories.
4. If all else fails, follow the instructions in this post (http://www.fedoraforum.org/forum/showpost.php?p=157889&postcount=2) to override some of the SELinux protections.

[ai]
5th February 2005, 07:37 PM
OK, thank you very much. I've changed file context and now my program can read it. And the last question: what context is needed to make the file (or directory if I need to upload files) writeable by CGI-program? I watched context of /etc/httpd/logs/error_log (which must be writeable by Apache). It was httpd_runtime_t. I've assigned it to my file but that doesn't work.
And, sure, I don't want to keep 777 permission, that was only for testing.

macemoneta
5th February 2005, 08:04 PM
First, you'll probably find this documentation (http://fedora.redhat.com/docs/selinux-apache-fc3/) useful.

The files/directories that you are going to create/read/write with your CGI code should have a context of "httpd_sys_content_t". The scripts themselves should be "httpd_sys_script_exec_t", which they should inherit from the /var/www/cgi-bin directory. When you set the context of a directory, files created in that directory inherit that context.

[ai]
6th February 2005, 07:16 AM
Thank you. I've found that httpd_sys_content_t doesn't allow CGI programs to write files, I had to use httpd_sys_script_rw_t. Althoug the documentation asserts that httpd_sys_content_t is enough by default and I haven't made any changes to policy.
On the first page they wrote that it's a beta document. Maybe I should contact authors and ask them to alter it?

macemoneta
6th February 2005, 02:18 PM
I have a locally written CGI script that creates/reads/writes files, with httpd_sys_content_t as the context.

Do you have the latest maintenance applied? There have been several updates to SELinux policy.

[ai]
6th February 2005, 07:03 PM
No, I haven't applied anything to my system. I just installed Fedora Core 3 from DVD that I've bought in one of our russian internet shops. I don't think that such updates are required. I'm not going to host any projects on my computer, everything I develop will work on another server with Red Hat Linux 9.0 that has not got SELinux installed at all :). We can now end this topic. Thank you.

Xianyang Travel Photos - Banjarmasin Instagram Photos - Djibouti Photos on Instagram -