Re: how to enable CGI scripts to read /var/log/httpd/access_log ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Feb 11, 2008 5:55 PM, Bennett Haselton <bennett@xxxxxxxxxxxxx> wrote:
> At 02:14 PM 2/11/2008 -0500, Joshua Slive wrote:
> >On Feb 11, 2008 1:38 PM, Bennett Haselton <bennett@xxxxxxxxxxxxx> wrote:
> > > I am trying to run a CGI script that can open /var/log/httpd/access_log
> > for
> > > reading and parse some data from it.  (This is on a dedicated machine.)
> > >
> > > The file /var/log/httpd/access_log is owned by root, but that's not the
> > > problem.  I have other files owned by root that are in the
> > /var/www/html
> > > directory and CGI scripts can read those with no problem (because they
> > are
> > > world-*readable*, just like /var/log/httpd/access_log is).  The problem
> > is
> > > that apparently CGI scripts cannot open any files for reading that are
> > > located outside of /var/www .
> >
> >There is no setting in the default apache install that could impose
> >that restriction. Are you running SELinux perhaps? Have you tried
> >"setenforce 0" to see if the issue goes away?
>
> It does, but unfortunately after the server is rebooted, the effect of
> doing "setenforce 0" is lost (i.e. setuid scripts no longer run as setuid),
> and I have to do it again if I want setuid to work again.
>
> Is there any way I can make the effect of "setenforce 0" permanent?  I
> could put it into a startup script or something, but that seems like a
> hacky solution compared to actually changing the system setting.

You're going to need to dig into SELinux config a little. You have two
choices: turn off SELinux either for apache or the whole system
permanently, or modify your SELinux extended permissions to allow
apache access to the relevant files. Either way, you're going to have
to figure out how CentOS has SELinux setup. Googleing "apache SELinux"
gets lots of useful stuff for RedHat. I'm not sure how much of it
applies to CentOS.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux