Re: [users@httpd] CGI path problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It is. I checked that first.

I spent hours researching this last night and didn't send out a note because it was so late. It turns out that the newer versions of Redhat Linux are shiped with a security system called SELINUX that has some roots with the NSA. It would appear that it was designed specifially to address security policy with Apache servers. It creates a set of rules that allow/dis-allow specific kinds of access based on security contexts. All of the security contexts it ships with appear to be for Apache's httpd.

The error I was getting was because SELINUX ships with a security policy that prohibits any CGI script from executing any other executable on the system. This is evidently creatd to prevent compromise of a script taking over the system.

I spent hours trying to interpret the very dense docs that I could find and the way this works is that you create security policies in a source directory under /etc/selinux and then re-make the security policy. The problem is that it doesn't appear that my server install came with the policy generator, merely a set of policies. I then quit and changed the security level in /etc/selinux/config to permissive. This merely generates warnings instead of errors.

Is this a secret? Why does no one know about this selinux thing? Anyway, I turned it off for now. Maybe I'll go back and figure it out later.

Thanks.

Andres Monroy-Hernandez wrote:

The java virtual machine should be executable to the user that is
running the apache daemon. Also your java program should be readable to
the same user. Is that the case? What is the command that that you're
executing from your CGI?

By the way, what you're doing is not the best performance wise. It seems
that every time someone executes the CGI the JVM is loaded. There must
be better ways of doing what you want, but that's outside the scope of
your question.

Cheers,
Andres

-----Original Message-----
From: Thom Hehl [mailto:thom@xxxxxxxxxxxxxxxx] Sent: Monday, July 18, 2005 7:32 PM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] CGI path problem

OK. I figured out to place the path in /etc/init.d/httpd and now I can find the program. Now I'm getting the error:

sh:/opt/java/bin/java: Permission denied

The permissions on java are 755, which should allow execution. Is there something that prevents CGI scripts from calling other binaries?

Thanks.

Thom Hehl wrote:

I have a CGI program that calls a java program. I have placed the java/bin directory into my PATH in /etc/bashrc (Redhat Linux) and can run my CGI fine from the command prompt. When I execute it through the

web server, though, I get the following message in my error.log:

"sh: java: command not found"

I am reading this as Apache cannot find the java binary. Is there something I'm missing? Maybe a path somewhere in httpd.conf?

Thanks

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux