cgi not working

[links2world]

Hello,

Pleak 8.0.0, I have problems running cgi scripts. I have the following cgi script:

[root@columbia cgi-bin]# pwd
/var/www/vhosts/domain.net/cgi-bin
[root@columbia cgi-bin]# cat test.cgi
#!/bin/bash
echo -e "Content-type: text/html\n\n";
echo lol
[root@columbia cgi-bin]# ls -la test.cgi
-rwxr-xr-x 1 domain psacln 60 Apr 29 15:45 test.cgi
[root@columbia cgi-bin]#
[root@columbia cgi-bin]#

However, this is not working. In the access_log I havethe following error:

80.186.x.x - - [29/Apr/2006:16:15:16 +0300] "GET /cgi-bin/test.cgi HTTP/1.1" 500 1263 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"

and in the error_log I have the following:

[Sat Apr 29 16:15:15 2006] [error] [client 80.186.x.x] failed to open log file /var/log/httpd/suexec_log
[Sat Apr 29 16:15:15 2006] [error] [client 80.186.x.x] fopen: Permission denied
[Sat Apr 29 16:15:15 2006] [error] [client 80.186.x.x] Premature end of script headers: test.cgi

Any ideea? Thanks.

 

[links2world]

Okay, selinux seems to be the reason, this is how I fixed it:

[root@columbia ~]# audit2allow -i /var/log/messages -l
allow httpd_suexec_t httpd_sys_content_t:file { execute_no_trans ioctl };
[root@columbia ~]# audit2allow -i /var/log/messages -l > /etc/selinux/targeted/src/policy/domains/misc/local.te
[root@columbia ~]# cd /etc/selinux/targeted/src/policy/
[root@columbia policy]#
[root@columbia policy]# make load

Now CGI is working.

Regards,

 

[OutKa5t]

Can you explain this fix? I have the same problem as you have decribed but don't understand what your fix is/does.

 

[links2world]

Hi,

The problem was too resticted SELinux = Security-Enhanced Linux (SELinux) is a version of the Linux kernel and utilities, which contains support for mandatory access controls based on the principle of least privilege.

For some reason, by default SELinux denies the execution of CGI scripts. audit2allow tool is looking into log files, and if it finds a "deny" log entry, it will display you the "allow" rule that you have to add to your SELinux config files.

This is what I have done.

Best regards,

 

[DavidCollom]

Same Error

I am having the same problem however when i attempt to run your commands above all i get back is this:

# audit2allow -i /var/log/messages -l allow httpd_suexec_t httpd_sys_content_t:file { execute_no_trans ioctl };
unknown option, 'allow'

audit2allow [-d] [-v] [-l] [-i <inputfile> ] [-o <outputfile>]
-d read input from output of /bin/dmesg
-v verbose output
-l read input only after last "load_policy"
-i read input from <inputfile>
-o append output to <outputfile>

I have tried changing the owner to apache (Read in other topic) and also tried changing the usegroups etc could you give me any more ideas on how to get this to work. the scripts run fine from CLI but not through apache.

In the suexec log i recieve:
target uid/gid (10002/10001) mismatch with directory (10002/2523) or program (48/0)

Please help! as i need running for a client who is becoming very impatient.

David Collom

 

[DavidCollom]

Ok this may sound weird but i moved the CGi files into a subfolder of the CGI bin and now everything works perfectly!, not sure why as all the folders and files have the same permissions and owners!

Just thought i would make a note of it for others.

however a fix to run in the root of the bin would be nice!