httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thom Hehl <t...@nowhereatall.com>
Subject Re: [users@httpd] CGI path problem
Date Tue, 19 Jul 2005 11:26:14 GMT
It is. I checked that first.

I spent hours researching this last night and didn't send out a note 
because it was so late. It turns out that the newer versions of Redhat 
Linux are shiped with a security system called SELINUX that has some 
roots with the NSA. It would appear that it was designed specifially to 
address security policy with Apache servers. It creates a set of rules 
that allow/dis-allow specific kinds of access based on security 
contexts. All of the security contexts it ships with appear to be for 
Apache's httpd.

The error I was getting was because SELINUX ships with a security policy 
that prohibits any CGI script from executing any other executable on the 
system. This is evidently creatd to prevent compromise of a script 
taking over the system.

I spent hours trying to interpret the very dense docs that I could find 
and the way this works is that you create security policies in a source 
directory under /etc/selinux and then re-make the security policy. The 
problem is that it doesn't appear that my server install came with the 
policy generator, merely a set of policies. I then quit and changed the 
security level in /etc/selinux/config to permissive. This merely 
generates warnings instead of errors.

Is this a secret? Why does no one know about this selinux thing? Anyway, 
I turned it off for now. Maybe I'll go back and figure it out later.

Thanks.

Andres Monroy-Hernandez wrote:

>The java virtual machine should be executable to the user that is
>running the apache daemon. Also your java program should be readable to
>the same user. Is that the case? What is the command that that you're
>executing from your CGI?
>
>By the way, what you're doing is not the best performance wise. It seems
>that every time someone executes the CGI the JVM is loaded. There must
>be better ways of doing what you want, but that's outside the scope of
>your question.
>
>Cheers,
>Andres
>
>-----Original Message-----
>From: Thom Hehl [mailto:thom@nowhereatall.com] 
>Sent: Monday, July 18, 2005 7:32 PM
>To: users@httpd.apache.org
>Subject: Re: [users@httpd] CGI path problem
>
>OK. I figured out to place the path in /etc/init.d/httpd and now I can 
>find the program. Now I'm getting the error:
>
>sh:/opt/java/bin/java: Permission denied
>
>The permissions on java are 755, which should allow execution. Is there 
>something that prevents CGI scripts from calling other binaries?
>
>Thanks.
>
>Thom Hehl wrote:
>
>  
>
>>I have a CGI program that calls a java program. I have placed the 
>>java/bin directory into my PATH in /etc/bashrc (Redhat Linux) and can 
>>run my CGI fine from the command prompt. When I execute it through the
>>    
>>
>
>  
>
>>web server, though, I get the following message in my error.log:
>>
>>"sh: java: command not found"
>>
>>I am reading this as Apache cannot find the java binary. Is there 
>>something I'm missing? Maybe a path somewhere in httpd.conf?
>>
>>Thanks
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server 
>>Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server
>Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>  
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message