httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Crisler <charles.cris...@comcast.net>
Subject Re: [users@httpd] permission problem (still)
Date Thu, 27 Aug 2009 01:29:09 GMT
On Fri, 2009-08-21 at 09:37 +0100, Tom Evans wrote:

> If it was owned by user apache, then if the webserver were exploitable,
> the attacker would be able to deface your website. If it is just
> readable by apache, then they would need to exploit apache and then find
> a local privilege escalation to do so.

Thank  you for pointing out what should have been obvious.
> 
When I try to execute scripts from my cgi-bin directory, I am blocked by
a permission problem. In FireFox, I am using
http://localhost/cgi-bin/env.pl as the address line.

My cgi-bin directory (/var/www/cgi-bin) is owned by root with these
permissions drwxr-xr-x. This is from my httpd.conf

ScriptAlias /cgi-bin/ /var/www/cgi-bin/

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options Indexes FollowSymLinks ExecCGI Includes
    Order deny,allow
    Allow from all
</Directory>

However, when I try to execute any script from that directory, I get
this error.

[Wed Aug 26 21:21:05 2009] [error] [client 127.0.0.1] (13)Permission
denied: access to /cgi-bin/env.pl denied

BTW: my serverroot is defined as:
ServerRoot "/etc/httpd"

My document root is defined as:
DocumentRoot "/var/www/html"

The Perl files in the cgi-bin directory are owned by root with these
permissions: rwxr-xr-x. I also tried to create a cgi-bin directory under
my home directory (making all of the changes needed in httpd.conf), I
set the permissions correctly (I think)


> They don't have to be owned by root, they just need to be readable by
> apache and correctly configured. Your doc root, and all the files under
> there, can be owned by your local user. You only need root privileges to
> start/stop apache.

What about cgi-bin? It is parallel to doc-root.

All help is greatly appreciated!

Chuck


> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message