From: replies-lists-redhat@listmail.innovate.net To: azeem ahmad azeem81@msn.com Subject: Re: access denied Date: Wed, 22 Feb 2006 01:19:37 +0000
From: replies-lists-redhat@listmail.innovate.net To: azeem ahmad azeem81@msn.com Subject: Re: access denied Date: Wed, 22 Feb 2006 00:19:20 +0000
> > > >> From: replies-lists-redhat@listmail.innovate.net > >> To: azeem ahmad azeem81@msn.com > >> Subject: Re: access denied > >> Date: Tue, 21 Feb 2006 23:24:06 +0000 > >> > >> your cgi-bin should contain *scripts*, not html files. apache > >> won't parse an html file that's in the cgi-bin directory.
[what
> >> are the
top
> >> 2-3 lines of "dgate.html"? > >> > >> assuming that apache isn't running as the user that owns the > >> files/directory (there are security implications if it is), > >> then the directory/files in the cgi-bin need to be > >> executable/readable by "others". > >> > >> > >> ------------ Original Message ------------ > >> > Date: Tuesday, February 21, 2006 10:17:48 PM +0000 > >> > From: azeem ahmad azeem81@msn.com > >> > To: users@httpd.apache.org, fedora-list@redhat.com > >> > Subject: access denied > >> > > >> > hi list, my server is denying access to cgi-bin, i m trying > >> > on it for a while, before that it was even saying that > >> > premature end of script, but now after some modifications > >> > (adding cgi-bin directory to virtual host) it says access > >> > denied > >> > following is the config > >> > ------------------------------------------------------------ > >> > --- --- --- --- ----------------- > >> > <VirtualHost 1.2.3.4> > >> > ServerAlias mine.com > >> > ServerAdmin webmaster@mine.com > >> > DocumentRoot /home/mine/public_html > >> > BytesLog domlogs/mine.com-bytes_log > >> > ServerName www.mine.com > >> > > >> > User mine > >> > Group mine > >> > CustomLog /usr/local/apache/domlogs/mine.com combined > >> > ScriptAlias /cgi-bin/ /home/mine/public_html/cgi-bin/ > >> > > >> > <Directory /home/mine/public_html/cgi-bin/> > >> > Options +Indexes +ExecCGI > >> > Order allow,deny > >> > DirectoryIndex index.cgi > >> > AllowOverride None > >> > </Directory> > >> > </VirtualHost> > >> > ------------------------------------------------------------ > >> > --- --- --- --- --------- > >> > > >> > the error it gives is > >> > [Tue Feb 21 14:15:48 2006] [error] [client 80.231.220.2] > >> > client > denied > >> > by server configuration: > >> > /home/mine/public_html/cgi-bin/dgate.html > >> > > >> > whats is the error in fact > >> > Regards > >> > Azeem > >> > > > > > i created a new script named helo.pl, its working well when i > > execute it. now i moved suexec from apche path, so apche cant > > access suexec
as
> > well > > but when i access helo.pl in browesr, it is now saying > > No such file or directory > > while file is on exact path and its executable as i have chmod > > it to 777 Regards > > Azeem > > > > is the first line of your "helo.pl" script: > > # !/usr/local/bin/perl > > (or whatever the path is to your perl binary)? > yes, and i tried both, as /usr/bin/perl and /usr/local/bin/perl both r working fine if i run program on shell Regards Azeem
if you put an html file under your document root:
DocumentRoot /home/mine/public_html
can you open it with your browser (via http://...)?
[note, normally you don't put your cgi-bin under your document root. rather you put it parallel to it (or elsewhere).]
could you send the error_log line where you're getting the "no such
file
or directory" error.
and about .html is that server is working already hosting my website, so normal html is working fine below is error log
[Tue Feb 21 15:54:08 2006] [error] (2)No such file or directory: exec of /home/mine/public_html/cgi-bin/helo.pl failed [Tue Feb 21 15:54:08 2006] [error] [client 80.231.220.2] Premature
end
of script headers: /home/mine/public_html/cgi-bin/helo.pl
not that the "No such file or directory" come only if i disable suexec, otherwise only the second line appears Regards Azeem
could you send your helo.pl script -- some aspect of it appears to be the problem.
its simply
# !/usr/bin/perl print "Content-type: text/html\n\n"; print "Hello";
Regards Azeem
is your cgi-bin directory permitted as exec (it doesn't need read, only exec) to the user that is running your web server?
i assume you're running apache 2.x -- are you aware that "user" and "group" directives aren't supported in the cgi-bin directive set in that version. see:
http://httpd.apache.org/docs/2.2/mod/mod_suexec.html#suexecusergroup
for details.
i changed the dir and files to rwx ie chmod -R 777 cgi-bin
even then its saying premature end of script
Regards Azeem
On Wed, 2006-02-22 at 08:40, azeem ahmad wrote:
i assume you're running apache 2.x -- are you aware that "user" and "group" directives aren't supported in the cgi-bin directive set in that version. see:
http://httpd.apache.org/docs/2.2/mod/mod_suexec.html#suexecusergroup
for details.
i changed the dir and files to rwx ie chmod -R 777 cgi-bin
even then its saying premature end of script
Can you run the script by hand as the user you think httpd will use?
From: Les Mikesell lesmikesell@gmail.com Reply-To: For users of Fedora Core releases fedora-list@redhat.com To: For users of Fedora Core releases fedora-list@redhat.com CC: replies-lists-redhat@listmail.innovate.net Subject: Re: access denied Date: Wed, 22 Feb 2006 09:31:54 -0600
On Wed, 2006-02-22 at 08:40, azeem ahmad wrote:
i assume you're running apache 2.x -- are you aware that "user" and "group" directives aren't supported in the cgi-bin directive set in
that
version. see:
http://httpd.apache.org/docs/2.2/mod/mod_suexec.html#suexecusergroup
for details.
i changed the dir and files to rwx ie chmod -R 777 cgi-bin
even then its saying premature end of script
Can you run the script by hand as the user you think httpd will use?
-- Les Mikesell lesmikesell@gmail.com
apache is running as nobody:nobody the virtual host is running as mine:mine i m accessing the server remotely as root i dont have mine and nobody passwords is there any way to do it?
Regards Azeem
Am Mi, den 22.02.2006 schrieb azeem ahmad um 16:41:
apache is running as nobody:nobody the virtual host is running as mine:mine i m accessing the server remotely as root i dont have mine and nobody passwords is there any way to do it?
Regards Azeem
Big hm. Are you using the perchild mpm (which is not stable)? Else you can't run a vhost with different User/Group than the main server.
http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user
With Fedora's defaults you will get something like this:
$ apachectl -t Syntax error on line 6 of /etc/httpd/conf.d/vhosts/www.obsfuscated.net: User cannot occur within <VirtualHost> section
Alexander
On Wed, 2006-02-22 at 09:41, azeem ahmad wrote:
i assume you're running apache 2.x -- are you aware that "user" and "group" directives aren't supported in the cgi-bin directive set in
that
version. see:
http://httpd.apache.org/docs/2.2/mod/mod_suexec.html#suexecusergroup
for details.
i changed the dir and files to rwx ie chmod -R 777 cgi-bin
even then its saying premature end of script
Can you run the script by hand as the user you think httpd will use?
apache is running as nobody:nobody the virtual host is running as mine:mine i m accessing the server remotely as root i dont have mine and nobody passwords is there any way to do it?
If you are root, you can 'su - user' for any other user without a password. The user does need a working shell in /etc/passwd that you can use while testing, though.
From: Les Mikesell lesmikesell@gmail.com Reply-To: For users of Fedora Core releases fedora-list@redhat.com To: For users of Fedora Core releases fedora-list@redhat.com Subject: Re: access denied Date: Wed, 22 Feb 2006 12:28:32 -0600
On Wed, 2006-02-22 at 09:41, azeem ahmad wrote:
i assume you're running apache 2.x -- are you aware that "user" and "group" directives aren't supported in the cgi-bin directive set in
that
version. see:
http://httpd.apache.org/docs/2.2/mod/mod_suexec.html#suexecusergroup
for details.
i changed the dir and files to rwx ie chmod -R 777 cgi-bin
even then its saying premature end of script
Can you run the script by hand as the user you think httpd will use?
apache is running as nobody:nobody the virtual host is running as mine:mine i m accessing the server remotely as root i dont have mine and nobody passwords is there any way to do it?
If you are root, you can 'su - user' for any other user without a password. The user does need a working shell in /etc/passwd that you can use while testing, though.
-- Les Mikesell lesmikesell@gmail.com
apache is running as nobody and it says that This account is currently not available when i su nobody
and as mine i can run the script
and how can i check my virtual host is running as nobody or mine
as main apache config is user nobody group nobody
and in virtual host user mine group mine
Regards Azeem
On Wed, 2006-02-22 at 13:58, azeem ahmad wrote:
i assume you're running apache 2.x -- are you aware that "user" and "group" directives aren't supported in the cgi-bin directive set in
that
version. see:
http://httpd.apache.org/docs/2.2/mod/mod_suexec.html#suexecusergroup
for details.
i changed the dir and files to rwx ie chmod -R 777 cgi-bin
even then its saying premature end of script
Can you run the script by hand as the user you think httpd will use?
apache is running as nobody:nobody the virtual host is running as mine:mine i m accessing the server remotely as root i dont have mine and nobody passwords is there any way to do it?
If you are root, you can 'su - user' for any other user without a password. The user does need a working shell in /etc/passwd that you can use while testing, though.
apache is running as nobody and it says that This account is currently not available when i su nobody
That means it doesn't have a valid shell in the /etc/passwd file entry.
and as mine i can run the script
and how can i check my virtual host is running as nobody or mine
as main apache config is user nobody group nobody
and in virtual host user mine group mine
In a stock fedora configuration, httpd would run as apache, and I don't think the normal MPM setting allows the virtual hosts to be different.
On Wed, 2006-02-22 at 19:58 +0000, azeem ahmad wrote:
apache is running as nobody and it says that This account is currently not available when i su nobody
"nobody" normally can't log on. I'm not sure if it can ever run anything. I wouldn't change nobody so that it can, because other things use it as a purposely limited account for security reasons.
On Wed, 2006-02-22 at 15:41 +0000, azeem ahmad wrote:
apache is running as nobody:nobody
Usually it runs as apache:apache
the virtual host is running as mine:mine i m accessing the server remotely as root i dont have mine and nobody passwords
It's a bit of an ask to resolve something when you don't have the proper credentials. And that's the sort of request that sounds like you're trying to exploit something.
However, if you have root access, try creating some new accounts to test with, so you will have the proper credentials.
-
Alexander Dalloz -
azeem ahmad -
Les Mikesell -
Tim