Folks
I'm having file-access problems in Apache 2.4 under Centos 7. In particular:
- I have a file that's readable to every user and every application, (writeable by only one user), but my CGI scripts cannot read it.
- Some of my CGI scripts need temporary storage for some files. They are, for example, some internal log files, tnat get cleaned up over time, but I want to be able to look at them (as root). Where would you suggest they be placed? I've tried /tmp/my_private_files/, and /var/tmp/my_private_files/, but Apache fails to find even the directory.
Here's some extra information SELINUX is disabled.
I modified my CGI script to report where in the path to /tmp/my_private_files/temp_log.log the process failed. The Perl code I ran is:
my $x = ""; print STDERR "Trying to read /tmp/ramdisk/keys.txt\n"; for (split ///, "/tmp/ramdisk/keys.txt") { next unless $_; $x .= "/$_"; print STDERR "Test $x, " , (-e $x?"exists":"does not exist"), "\n"; }
And the output in the http error log for this virtual user, (timestamp and other error log data stripped) was:
AH01215: Trying to read /tmp/ramdisk/keys.txt AH01215: Test /tmp, exists AH01215: Test /tmp/ramdisk, does not exist AH01215: Test /tmp/ramdisk/keys.txt, does not exist
Using the "dir -l" command as root, I discover:
dir -l / | grep tmp drwxrwxrwt. 16 root root 4096 Nov 21 08:35 tmp
dir -l /tmp | grep ramdisk drwxrwxrwt 2 root root 140 Nov 21 08:35 ramdisk
dir -l /tmp/ramdisk | grep keys.txt -rw-r--r-- 1 user1 user1 11829 Nov 21 08:29 keys.txt
Any suggestions?
PS: Centos 6 had no such problems, and the file locations worked just fine.
David
On Nov 21, 2017, at 11:42, david david@daku.org wrote:
Folks
I'm having file-access problems in Apache 2.4 under Centos 7. In particular:
I have a file that's readable to every user and every application, (writeable by only one user), but my CGI scripts cannot read it.
Some of my CGI scripts need temporary storage for some files. They are, for example, some internal log files, tnat get cleaned up over time, but I want to be able to look at them (as root). Where would you suggest they be placed? I've tried /tmp/my_private_files/, and /var/tmp/my_private_files/, but Apache fails to find even the directory.
Here's some extra information SELINUX is disabled.
I modified my CGI script to report where in the path to /tmp/my_private_files/temp_log.log the process failed. The Perl code I ran is:
my $x = ""; print STDERR "Trying to read /tmp/ramdisk/keys.txt\n"; for (split ///, "/tmp/ramdisk/keys.txt") { next unless $_; $x .= "/$_"; print STDERR "Test $x, " , (-e $x?"exists":"does not exist"), "\n"; }
And the output in the http error log for this virtual user, (timestamp and other error log data stripped) was:
AH01215: Trying to read /tmp/ramdisk/keys.txt AH01215: Test /tmp, exists AH01215: Test /tmp/ramdisk, does not exist AH01215: Test /tmp/ramdisk/keys.txt, does not exist
Using the "dir -l" command as root, I discover:
dir -l / | grep tmp drwxrwxrwt. 16 root root 4096 Nov 21 08:35 tmp
dir -l /tmp | grep ramdisk drwxrwxrwt 2 root root 140 Nov 21 08:35 ramdisk
dir -l /tmp/ramdisk | grep keys.txt -rw-r--r-- 1 user1 user1 11829 Nov 21 08:29 keys.txt
Any suggestions?
The httpd.servicce unit in c7 has: PrivateTmp=true
Which means that Apache has its own private /tmp namespace. So it’s probably working, just not where you expect.
Don’t use /tmp in CGIs.
(And don’t disable selinux, particularly for web apps) -- Jonathan Billings
At 09:24 AM 11/21/2017, Jonathan Billings wrote:
On Nov 21, 2017, at 11:42, david david@daku.org wrote:
Folks
I'm having file-access problems in Apache 2.4
under Centos 7. In particular:
- I have a file that's readable to every user
and every application, (writeable by only one user), but my CGI scripts cannot read it.
- Some of my CGI scripts need temporary
storage for some files. They are, for example, some internal log files, tnat get cleaned up over time, but I want to be able to look at them (as root). Where would you suggest they be placed? I've tried /tmp/my_private_files/, and /var/tmp/my_private_files/, but Apache fails to find even the directory.
Here's some extra information SELINUX is disabled.
I modified my CGI script to report where in
the path to /tmp/my_private_files/temp_log.log the process failed. The Perl code I ran is:
my $x = ""; print STDERR "Trying to read /tmp/ramdisk/keys.txt\n"; for (split ///, "/tmp/ramdisk/keys.txt") { next unless $_; $x .= "/$_"; print STDERR "Test $x, " , (-e $x?"exists":"does not exist"), "\n"; }
And the output in the http error log for this
virtual user, (timestamp and other error log data stripped) was:
AH01215: Trying to read /tmp/ramdisk/keys.txt AH01215: Test /tmp, exists AH01215: Test /tmp/ramdisk, does not exist AH01215: Test /tmp/ramdisk/keys.txt, does not exist
Using the "dir -l" command as root, I discover:
dir -l / | grep tmp drwxrwxrwt. 16 root root 4096 Nov 21 08:35 tmp
dir -l /tmp | grep ramdisk drwxrwxrwt 2 root root 140 Nov 21 08:35 ramdisk
dir -l /tmp/ramdisk | grep keys.txt -rw-r--r-- 1 user1 user1 11829 Nov 21 08:29 keys.txt
Any suggestions?
The httpd.servicce unit in c7 has: PrivateTmp=true
Which means that Apache has its own private /tmp namespace. So itâs probably working, just not where you expect.
Donât use /tmp in CGIs.
(And donât disable selinux, particularly for web apps)
Jonathan Billings
Jonathan Thanks for the advice. If you recommend NOT to use /tmp for cgi temporaries, where would you put them and how to name them? And about SELINUX, I'll consider that, but I'd like to get this working without SELINUX first.
And where should I put "globally readable" files? These files need to be readable by all users (including Apache), but writeable only by one user. In the past, I've placed them in a Ram disk since I don't want them to survive a power--off, and mounted that "device" directory in /tmp/ramdisk. It was working perfectly in Centos 5, 6 and 7, with Centos 7 failing within the past week or so. I do "yum update" every night.
David
On Tue, Nov 21, 2017 at 09:40:27AM -0800, david wrote:
Jonathan Thanks for the advice. If you recommend NOT to use /tmp for cgi temporaries, where would you put them and how to name them? And about SELINUX, I'll consider that, but I'd like to get this working without SELINUX first.
And where should I put "globally readable" files? These files need to be readable by all users (including Apache), but writeable only by one user. In the past, I've placed them in a Ram disk since I don't want them to survive a power--off, and mounted that "device" directory in /tmp/ramdisk. It was working perfectly in Centos 5, 6 and 7, with Centos 7 failing within the past week or so. I do "yum update" every night.
Does it need to be writable by CGI scripts run by httpd? Then put it in one of the directories that is automatically labeled httpd_sys_rw_content_t by selinux. (man httpd_selinux shows those, you can also run 'semanage fcontext -l | grep httpd_sys_rw_content_t')
Hopefully, it isn't both writable *and* executable by httpd, because that's just a bad idea, and selinux tries its hardest to prevent it.
Otherwise, if httpd just needs to read the file, choose one of the directories with one of the read-only labels.
The reason why this started happening in the latest C7 release is because the unit file (as well as many others) was updated to have a PrivateTmp, which is an additional security measure, since one of the most common ways of attacking a system is to try to hit shared files in locations like /tmp.
On 11/21/2017 08:42 AM, david wrote:
SELINUX is disabled.
...
Any suggestions?
Yeah, https://stopdisablingselinux.com/
Also, you *could* run "systemctl edit httpd.service" and enter two lines:
[Service] PrivateTmp=false
... if you specifically need to share /tmp. The alternative is probably to mount a new tmpfs to a new directory somewhere under /var/lib for globally shared ephemeral files.
On Tue, November 21, 2017 12:02 pm, Gordon Messmer wrote:
On 11/21/2017 08:42 AM, david wrote:
SELINUX is disabled.
...
Any suggestions?
Ha-ha! I like it!
Does anybody remember LIDS:
https://en.wikipedia.org/wiki/Linux_Intrusion_Detection_System
The name is a bit deceptive. In short, LIDS is Linux kernel patch that (roughly speaking) does the following: after boot process finishes, and all services have been started root user is demoted to user nobody ;-) You can only do administration on cold powered off system - i.e. off line. Alas, LIDS didn't make into main stream kernel. Its competitor (?) SElinux made it instead, and SElinux is child's play compared to LIDS IMHO... Every time SElinux is mentioned in one respect or another it makes my day, as I remember LIDS ;-)
I hope, someone has few loughs with me here.
Valeri
Also, you *could* run "systemctl edit httpd.service" and enter two lines:
[Service] PrivateTmp=false
... if you specifically need to share /tmp. The alternative is probably to mount a new tmpfs to a new directory somewhere under /var/lib for globally shared ephemeral files. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
-
david -
Gordon Messmer -
Jonathan Billings -
Valeri Galtsev