[CentOS] File access in Apache 2.4 (clarification)

Tue Nov 21 17:24:16 UTC 2017
Jonathan Billings <billings at negate.org>

On Nov 21, 2017, at 11:42, david <david at daku.org> wrote:
> 
> Folks
> 
> I'm having file-access problems in Apache 2.4 under Centos 7.  In particular:
> 
> - I have a file that's readable to every user and every application, (writeable by only one user), but my CGI scripts cannot read it.
> 
> - Some of my CGI scripts need temporary storage for some files.  They are, for example, some internal log files, tnat get cleaned up over time, but I want to be able to look at them (as root).  Where would you suggest they be placed?  I've tried /tmp/my_private_files/, and /var/tmp/my_private_files/, but Apache fails to find even the directory.
> 
> Here's some extra information
> SELINUX is disabled.
> 
> I modified my CGI script to report where in the path to /tmp/my_private_files/temp_log.log the process failed.  The Perl code I ran is:
> 
> 
>  my $x = "";
>  print STDERR "Trying to read /tmp/ramdisk/keys.txt\n";
>  for (split /\//, "/tmp/ramdisk/keys.txt") {
>    next unless $_;
>    $x .= "/$_";
>    print STDERR "Test $x, " , (-e $x?"exists":"does not exist"), "\n";
>  }
> 
> And the output in the http error log for this virtual user, (timestamp and other error log data stripped) was:
> 
> AH01215: Trying to read /tmp/ramdisk/keys.txt
> AH01215: Test /tmp, exists
> AH01215: Test /tmp/ramdisk, does not exist
> AH01215: Test /tmp/ramdisk/keys.txt, does not exist
> 
> Using the "dir -l" command as root, I discover:
> 
> dir -l / | grep tmp
> drwxrwxrwt.  16 root root  4096 Nov 21 08:35 tmp
> 
> dir -l /tmp | grep ramdisk
> drwxrwxrwt  2 root root    140 Nov 21 08:35 ramdisk
> 
> dir -l /tmp/ramdisk | grep keys.txt
> -rw-r--r-- 1 user1 user1 11829 Nov 21 08:29 keys.txt
> 
> 
> Any suggestions?
> 

The httpd.servicce unit in c7 has:
PrivateTmp=true

Which means that Apache has its own private /tmp namespace. So it’s probably working, just not where you expect. 


Don’t use /tmp in CGIs. 

(And don’t disable selinux, particularly for web apps)
--
Jonathan Billings