| View previous topic :: View next topic |
| Author |
Message |
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
 Posted: Tue Jul 09, 2002 10:27 am Post subject: Executing CGI scripts in /home/*/public_html/cgi-bin |
 |
|
I don't seem to be able to get it to work, the (I think) relevant part
in commonapache.conf is:
| Code: |
<Directory /home/*/public_html>
AllowOverride All
Options MultiViews -Indexes Includes FollowSymLinks +ExecCGI
Order allow,deny
Allow from all
</Directory>
<Directory /home/*/public_html/cgi-bin>
Options +ExecCGI -Includes -Indexes
SetHandler cgi-script
</Directory>
|
But all I get in the error_log is:
| Quote: |
Tue Jul 9 10:26:01 2002] [error] [client 127.0.0.1] Premature end of script headers: /home/yz/public_html/test.cgi
[Tue Jul 9 10:26:42 2002] [error] (13)Permission denied: exec of /home/yz/public_html/test.cgi failed
|
I have chmod a+x the test.cgi and made sure the world has an
access path to /home/yz/public_html.
The /cgi-bin/test-cgi (working from /home/httpd/cgi-bin) is working
just fine...
Anyone got any suggestions? |
|
| Back to top |
|
 |
Scandium
Retired Dev
Joined: 22 Apr 2002
Posts: 340
Location: Germany
|
| Posted: Tue Jul 09, 2002 11:15 am Post subject: |
|
|
what about
/home/*/public_html/cgi-bin/test.cgi
? |
|
| Back to top |
|
|
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
| Posted: Tue Jul 09, 2002 11:32 am Post subject: |
|
|
| Scandium wrote: | what about
/home/*/public_html/cgi-bin/test.cgi
? |
Both ~yz/test.cgi and ~yz/cgi-bin/test.cgi do not seem to work. |
|
| Back to top |
|
|
Nitro
Bodhisattva
Joined: 08 Apr 2002
Posts: 661
Location: San Francisco
|
| Posted: Tue Jul 09, 2002 12:15 pm Post subject: Re: Executing CGI scripts in /home/*/public_html/cgi-bin |
|
|
| Y z wrote: |
But all I get in the error_log is:
| Quote: |
Tue Jul 9 10:26:01 2002] [error] [client 127.0.0.1] Premature end of script headers: /home/yz/public_html/test.cgi
[Tue Jul 9 10:26:42 2002] [error] (13)Permission denied: exec of /home/yz/public_html/test.cgi failed
|
|
See that premature end of script headers? That means you aren't providing a header, or suEXEC is nuking the script before apache sends the output.
Run "suexec -V" and it will say its log location, in most cases it should be /var/log/apache/suexec_log. Check that file, and show us what it outputs.
Also, make sure that the CGI outputs a valid header, ie: | Code: | | print "Content-type: text/html\r\n\r\n"; |
_________________
- Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
| Back to top |
|
|
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
| Posted: Tue Jul 09, 2002 2:10 pm Post subject: Re: Executing CGI scripts in /home/*/public_html/cgi-bin |
|
|
| Nitro wrote: | | Y z wrote: |
But all I get in the error_log is:
| Quote: |
Tue Jul 9 10:26:01 2002] [error] [client 127.0.0.1] Premature end of script headers: /home/yz/public_html/test.cgi
[Tue Jul 9 10:26:42 2002] [error] (13)Permission denied: exec of /home/yz/public_html/test.cgi failed
|
|
See that premature end of script headers? That means you aren't providing a header, or suEXEC is nuking the script before apache sends the output.
Run "suexec -V" and it will say its log location, in most cases it should be /var/log/apache/suexec_log. Check that file, and show us what it outputs.
Also, make sure that the CGI outputs a valid header, ie: | Code: | | print "Content-type: text/html\r\n\r\n"; |
|
I am doing that. Let me include the script (should have in the
first place):
| Code: |
#!/usr/bin/perl
##
##
use CGI;
use CGI::Carp qw( fatalsToBrowser );
my $cgi = CGI->new;
print $cgi->header,
$cgi->start_html(title => 'Test Page'),
$cgi->h1("Hello world"),
"Go away.",
$cgi->end_html,
"\n"
;
|
The $cgi->header does the work.
Maybe it is something deep inside Apache? Just checked my
Debian box, and I can't get it to work under home/*/public_html
either...[/code][/i] |
|
| Back to top |
|
|
Nitro
Bodhisattva
Joined: 08 Apr 2002
Posts: 661
Location: San Francisco
|
| Posted: Tue Jul 09, 2002 5:15 pm Post subject: Re: Executing CGI scripts in /home/*/public_html/cgi-bin |
|
|
| Y z wrote: | | I am doing that. |
| Nitro wrote: | See that premature end of script headers? That means you aren't providing a header, or suEXEC is nuking the script before apache sends the output.
Run "suexec -V" and it will say its log location, in most cases it should be /var/log/apache/suexec_log. Check that file, and show us what it outputs.
|
If you are using the standard apache ebuild, you have suEXEC, would you share with us its logs?
_________________
- Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
| Back to top |
|
|
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
| Posted: Tue Jul 09, 2002 5:27 pm Post subject: Re: Executing CGI scripts in /home/*/public_html/cgi-bin |
|
|
| Quote: |
Run "suexec -V" and it will say its log location, in most cases it should be /var/log/apache/suexec_log. Check that file, and show us what it outputs.
|
# suexec -V
-D DOC_ROOT="/home/httpd/htdocs"
-D GID_MID=100
-D HTTPD_USER="apache"
-D LOG_EXEC="/var/log/apache/suexec_log"
-D SAFE_PATH="/bin:/usr/bin"
-D UID_MID=1000
-D USERDIR_SUFFIX="public_html"
#
| Quote: |
If you are using the standard apache ebuild, you have suEXEC, would you share with us its logs? |
# cat /var/log/apache/su*
cat: /var/log/apache/su*: No such file or directory
Strange, eh? |
|
| Back to top |
|
|
Nitro
Bodhisattva
Joined: 08 Apr 2002
Posts: 661
Location: San Francisco
|
| Posted: Tue Jul 09, 2002 8:35 pm Post subject: Re: Executing CGI scripts in /home/*/public_html/cgi-bin |
|
|
| Y z wrote: | # cat /var/log/apache/su*
cat: /var/log/apache/su*: No such file or directory
Strange, eh? |
When you start apache, do you see something like the following in your error log?: | Code: | | [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) |
Try touching the file, and then restarting apache to see if it will write to it.
_________________
- Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
| Back to top |
|
|
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
| Posted: Wed Jul 10, 2002 7:19 am Post subject: Re: Executing CGI scripts in /home/*/public_html/cgi-bin |
|
|
| Quote: | When you start apache, do you see something like the following in your error log?: | Code: | | [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) |
|
Yup: | Code: | | [Tue Jul 9 10:14:08 2002] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) |
| Quote: | | Try touching the file, and then restarting apache to see if it will write to it. |
Did so. Keeps empty...
Should the user 'apache' be able to execute thing? Say, should
| Code: | | # su apache -c /usr/bin/ls |
work?
It doesn't, but I assume this is as to expected if your shell is
/bin/false; ain't it?
Still puzzled... |
|
| Back to top |
|
|
mrhellmann
n00b
Joined: 22 Jun 2002
Posts: 1
Location: US
|
|
| Back to top |
|
|
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
| Posted: Thu Jul 11, 2002 7:02 pm Post subject: |
|
|
Same negative result in both... I am really stunned by this! |
|
| Back to top |
|
|
Nitro
Bodhisattva
Joined: 08 Apr 2002
Posts: 661
Location: San Francisco
|
| Posted: Thu Jul 11, 2002 7:22 pm Post subject: |
|
|
I'm really curious as to why suEXEC isn't printing. Try taking the exec bits off the /usr/sbin/suexec, then restart apache; should say suEXEC disabled in the error log.
_________________
- Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
| Back to top |
|
|
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
| Posted: Thu Jul 11, 2002 7:36 pm Post subject: |
|
|
| Nitro wrote: | | I'm really curious as to why suEXEC isn't printing. Try taking the exec bits off the /usr/sbin/suexec, then restart apache; should say suEXEC disabled in the error log. |
HOORAY! This turned out to be the magic sequence:
bash-2.05a# chmod -x /usr/sbin/suexec
bash-2.05a# /etc/init.d/apache restart
* Stopping apache... [ ok ]
* Starting apache... [ ok ]
bash-2.05a# less /var/log/apache/error_log
<same result>
bash-2.05a# ls -al /var/log/apache/suexec_log
-rw-r--r-- 1 root root 0 Jul 10 09:23 /var/log/apache/suexec_log
bash-2.05a# chmod a+x /usr/sbin/suexec
bash-2.05a# /etc/init.d/apache restart
* Stopping apache... [ ok ]
* Starting apache... [ ok ]
But now I wonder: what were the original mod bits on suexec?
Now it's 755, but I wonder whether that is ok?
Wow! Thanks
Y z |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Thu Jul 11, 2002 7:44 pm Post subject: |
|
|
| Y z wrote: | | But now I wonder: what were the original mod bits on suexec? |
4710, root.apache. I don't think suexec will run unless it's suid root.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
| Posted: Thu Jul 11, 2002 7:49 pm Post subject: |
|
|
| rac wrote: | | Y z wrote: | | But now I wonder: what were the original mod bits on suexec? |
4710, root.apache. I don't think suexec will run unless it's suid root. |
I guess so, but here it will only work with 4711 not with 4710.
Is that ok? |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Thu Jul 11, 2002 8:00 pm Post subject: |
|
|
| Y z wrote: | | here it will only work with 4711 not with 4710. Is that ok? |
You might want to have a look at http://www.geocrawler.com/archives/3/192/1997/11/100/2259366/ and see if it is relevant to your situation.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
| Posted: Thu Jul 11, 2002 8:06 pm Post subject: |
|
|
Possibly, but that would not solve my problem, since it suggests
the non-working 4710 instead of the working 4711.
I am once again flabbergasted...
Now I know what it is, I don't know how to proceed.
I wonder why (apparently) so few people have encountered this?
Y z |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Thu Jul 11, 2002 8:17 pm Post subject: |
|
|
| Y z wrote: | Possibly, but that would not solve my problem, since it suggests
the non-working 4710 instead of the working 4711. |
If you're not worried about the potential exploit (ie you don't have untrusted users with accounts on the system or you don't have anything worth exploiting on the machine), then go ahead and use 4711.
Does adding your 'yz' user to the apache group affect anything?
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
| Posted: Thu Jul 11, 2002 9:23 pm Post subject: |
|
|
| rac wrote: |
If you're not worried about the potential exploit (ie you don't have untrusted users with accounts on the system or you don't have anything worth exploiting on the machine), then go ahead and use 4711.
|
I'll go ahead then...But it still won't execute in ~yz, only in ~yz/cgi-bin.
Good heavens...
| rac wrote: |
Does adding your 'yz' user to the apache group affect anything? |
It was added all the time.
Thanks for the help thus far, by the way. But the Apache has become
no less mysterious a beast than it already was, I'm afraid...
Y z |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Thu Jul 11, 2002 9:39 pm Post subject: |
|
|
| Y z wrote: | | it still won't execute in ~yz, only in ~yz/cgi-bin. |
Scrolling back up the thread, it looks like the only difference between those two in your config is the "SetHandler cgi-script" - is the proper handler not being triggered? Do you have a global "AddHandler cgi-script .cgi" somewhere?
| Quote: | | rac wrote: | | Does adding your 'yz' user to the apache group affect anything? |
It was added all the time. |
Oh well. I wonder what user is attempting to run suexec that isn't in the apache group, because that's the only difference I can think of between having it 4710 and 4711. nobody? can't be apache.
| Quote: | | But the Apache has become no less mysterious a beast than it already was, I'm afraid... |
I'm sure you've read a fair amount of it, but there's a boatload of info at http://httpd.apache.org/docs/; related specifically to your current situation perhaps http://httpd.apache.org/docs/howto/cgi.html can do a better job of explaining running CGI programs in non-ScriptAliased directories than can the pretzel-syntax-spewing-machine that is me.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
| Posted: Thu Jul 11, 2002 9:48 pm Post subject: |
|
|
| rac wrote: |
Scrolling back up the thread, it looks like the only difference between those two in your config is the "SetHandler cgi-script" - is the proper handler not being triggered? Do you have a global "AddHandler cgi-script .cgi" somewhere? |
Yes, I have.
| rac wrote: | | Oh well. I wonder what user is attempting to run suexec that isn't in the apache group, because that's the only difference I can think of between having it 4710 and 4711. nobody? can't be apache. |
| rac wrote: |
I'm sure you've read a fair amount of it, but there's a boatload of info at http://httpd.apache.org/docs/; related specifically to your current situation perhaps http://httpd.apache.org/docs/howto/cgi.html can do a better job of explaining running CGI programs in non-ScriptAliased directories than can the pretzel-syntax-spewing-machine that is me. |
Yes I have, but thanks for the pointers, anyway. |
|
| Back to top |
|
|
skweegie
n00b
Joined: 18 Jun 2002
Posts: 9
|
| Posted: Thu Jul 11, 2002 10:58 pm Post subject: |
|
|
i won't be home for 4-5 hours but the second i do i'll write a quick and dirty guide on how to do this...
quick tips btw:
i'm assuming that you the WHOLE path to your user's DOCUMENT_ROOT is accessible.
(This all relates to editing your /etc/apache/conf/commonapache.conf)
1) is "AddHandler cgi-script .cgi" uncommented?
2) utilizing the runnable script directory in the user's cgi-bin is preffered since that directory can be protected somewhat (ie. not allowing includes and especially indexes which most people seem to like to have for their normal document root but not really a good idea for a directory that can run scripts since any user can just click any cgi file and run it when that directory is indexed) so...the default given in commonplace.apache is sound as is IMHO...
3) this is probably the most important and usually the cause of "Premature end of script headers":
make SURE your cgi script that you intend to run is chmod 755. nething else and it won't run...
cheers |
|
| Back to top |
|
|
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
| Posted: Thu Jul 11, 2002 11:02 pm Post subject: |
|
|
| skweegie wrote: | | the default given in commonplace.apache is sound as is |
That may be true, but the fact remains that I have to set the suexec mod bits to 4711 instead of the default 4710!! |
|
| Back to top |
|
|
skweegie
n00b
Joined: 18 Jun 2002
Posts: 9
|
| Posted: Thu Jul 11, 2002 11:41 pm Post subject: |
|
|
whoops, didn't read concise enough to see that you did get your script working in ~yz/cgi-bin
note 4710 for suexec is valid and preferred. (you did add user "apache" to the "users: group yes? if not, do so and either stop apache and telinit 1 and then telnit 3 and restart apache or reboot(easier) )
what i meant by #2 in my initial reply is that utilizing a cgi-bin if you allow UserDir is preferred since you can mainly stop Indexing for that directory so you can stop any user from freeclicking and hence running your cgi scripts.
neways, if you want to be able to run cgi scripts anywhere in your user's DOCUMENT_ROOT you can either:
thorugh editing commonapache.conf
1) remove "cgi-bin" from the directory line where you define your user's directories:
instead of:
<Directory /home/*/public_html/cgi-bin>
Options +ExecCGI -Includes -Indexes
SetHandler cgi-script
</Directory>
it would be:
<Directory /home/*/public_html>
Options +ExecCGI -Includes -Indexes
SetHandler cgi-script
</Directory>
please note that doing it this way would restrict your whole user's DOCUMENT_ROOT to almost the same restrictions as a normal cgi-bin (no Includes nor Indexes)
or
2) easier way and what alot of hosts do that allows their users to run cgi scripts anywhere in their DOCUMENT_ROOT
a) comment out the section above
b) edit the main settings for the user directory settings (the section right above the one i displayed above)
* add +ExecCGI to Options
* add the SetHandler cgi-script to the above
so instead of:
<Directory /home/*/public_html>
AllowOverride All
Options MultiViews Indexes Includes FollowSymLinks
Order allow,deny
Allow from all
</Directory>
it would be:
<Directory /home/*/public_html>
AllowOverride All
Options MultiViews Indexes Includes FollowSymLinks +ExecCGI
SetHandler cgi-script
Order allow,deny
Allow from all
</Directory>
if you do choose option #2, please place an empty DirectoryIndex file (index.html, index.php etc etc) so that you can't view the directory index...
again, make sure any script you intend to run is 755
cheers |
|
| Back to top |
|
|
Y z
n00b
Joined: 23 Apr 2002
Posts: 51
Location: Leiden, The Netherlands
|
| Posted: Fri Jul 12, 2002 6:53 am Post subject: |
|
|
| skweegie wrote: | whoops, didn't read concise enough to see that you did get your script working in ~yz/cgi-bin
note 4710 for suexec is valid and preferred. (you did add user "apache" to the "users: group yes? if not, do so and either stop apache and telinit 1 and then telnit 3 and restart apache or reboot(easier) )
what i meant by #2 in my initial reply is that utilizing a cgi-bin if you allow UserDir is preferred since you can mainly stop Indexing for that directory so you can stop any user from freeclicking and hence running your cgi scripts.
neways, if you want to be able to run cgi scripts anywhere in your user's DOCUMENT_ROOT you can either:
thorugh editing commonapache.conf
1) remove "cgi-bin" from the directory line where you define your user's directories:
instead of:
<Directory /home/*/public_html/cgi-bin>
Options +ExecCGI -Includes -Indexes
SetHandler cgi-script
</Directory>
it would be:
<Directory /home/*/public_html>
Options +ExecCGI -Includes -Indexes
SetHandler cgi-script
</Directory>
please note that doing it this way would restrict your whole user's DOCUMENT_ROOT to almost the same restrictions as a normal cgi-bin (no Includes nor Indexes)
or
2) easier way and what alot of hosts do that allows their users to run cgi scripts anywhere in their DOCUMENT_ROOT
a) comment out the section above
b) edit the main settings for the user directory settings (the section right above the one i displayed above)
* add +ExecCGI to Options
* add the SetHandler cgi-script to the above
so instead of:
<Directory /home/*/public_html>
AllowOverride All
Options MultiViews Indexes Includes FollowSymLinks
Order allow,deny
Allow from all
</Directory>
it would be:
<Directory /home/*/public_html>
AllowOverride All
Options MultiViews Indexes Includes FollowSymLinks +ExecCGI
SetHandler cgi-script
Order allow,deny
Allow from all
</Directory>
if you do choose option #2, please place an empty DirectoryIndex file (index.html, index.php etc etc) so that you can't view the directory index...
again, make sure any script you intend to run is 755
cheers |
Thanks for your long and clear answer. I tried both your suggestions, (restarting apache with | Code: | | /etc/init.d/apache restart |
. But alas, as soon as I change the mod bits to 4710, the cgi scripts stop working (and yes, they are chmod'ed to 755).
I guess I have to live with it...
Y z |
|
| Back to top |
|
|
|
Networking & Security
