Re: ExecCGI ignored within nfs share

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Should have said "exported" with noexec instead of mounted to make it more clear. Then it doesn't matter what you do on the client side you will still not be able to run exe files.

Since this is not the case maybe the perms of the directories on that path have no exe permissions them self?

IC

On Fri, Jan 31, 2020, 10:46 PM Michele Mase' <michele.mase@xxxxxxxxx> wrote:
From fstab:
10.10.10.10:/vol/shared /shared nfs defaults,exec,tcp,vers=3,intr,_netdev 0 0
From /proc/mounts
10.10.10.10:/vol/shared /shared nfs rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.10.10.10,mountvers=3,mountport=635,mountproto=tcp,local_lock=none,addr=10.10.10.10 0 0
The apache process user can execute scripts under nfs share:
su - www-data -s /bin/bash -c "/shared/www_root/cgi2/test.sh" #working


On Thu, Jan 30, 2020 at 8:57 PM Igor Cicimov <icicimov@xxxxxxxxx> wrote:
On Wed, Jan 29, 2020, 11:35 PM Michele Mase' <michele.mase@xxxxxxxxx> wrote:
I'm trying to execute some gci scripts under a certain directory stored under an nfs share without any success; the same configuration is working outside nfs share (i.e. under local filesystem).
What am I missing?
Regards
Michele Masè

Local Working: curl https://www.example.com/cgi2/

Alias /cgi2/ /var/www/html.default/cgi2/
<Directory "/var/www/html.default/cgi2">
AddHandler cgi-script .cgi .pl .sh
DirectoryIndex index.cgi index.html
Options +ExecCGI
</Directory>


NFS Not Working:
Alias /cgi2/ /shared/www_root/cgi2/
<Directory "/shared/www_root/cgi2/">
AddHandler cgi-script .cgi .pl .sh
DirectoryIndex index.cgi index.html
Options +ExecCGI
</Directory>

Error_Log:
AH01262: Options ExecCGI is off in this directory: /shared/www_root/cgi2/index.cgi

index.cgi script

#!/usr/bin/perl

print "Content-type: text/html\n\n";
print "<html>\n<body>\n";
print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n";
print "CGI Test Page";
print "\n</div>\n";
print "</body>\n</html>\n";

apache2.4.x ubuntu18.04 libapache2-mod-apparmor not installed

aa-status --verbose
apparmor module is loaded.
8 profiles are loaded.
8 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/tcpdump
   man_filter
   man_groff
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

/proc/mounts
10.10.10.10:/vol/shared /shared nfs rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.10.10.10,mountvers=3,mountport=635,mountproto=tcp,local_lock=none,addr=10.10.10.10 0 0

su - www-data -s /bin/bash -c "/bin/cat /shared/www_root/cgi2/index.cgi" #working
--
Michele Masè

Usually NFS shares are being mounted without exec permissions for security, you need to make sure that is not the case.


--
Michele Masè
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux