[CentOS] File access in Apache 2.4 (clarification)

Tue Nov 21 17:40:27 UTC 2017
david <david at daku.org>

At 09:24 AM 11/21/2017, Jonathan Billings wrote:
>On Nov 21, 2017, at 11:42, david <david at daku.org> wrote:
> >
> > Folks
> >
> > I'm having file-access problems in Apache 2.4 
> under Centos 7.  In particular:
> >
> > - I have a file that's readable to every user 
> and every application, (writeable by only one 
> user), but my CGI scripts cannot read it.
> >
> > - Some of my CGI scripts need temporary 
> storage for some files.  They are, for example, 
> some internal log files, tnat get cleaned up 
> over time, but I want to be able to look at 
> them (as root).  Where would you suggest they 
> be placed?  I've tried /tmp/my_private_files/, 
> and /var/tmp/my_private_files/, but Apache fails to find even the directory.
> >
> > Here's some extra information
> > SELINUX is disabled.
> >
> > I modified my CGI script to report where in 
> the path to /tmp/my_private_files/temp_log.log 
> the process failed.  The Perl code I ran is:
> >
> >
> >  my $x = "";
> >  print STDERR "Trying to read /tmp/ramdisk/keys.txt\n";
> >  for (split /\//, "/tmp/ramdisk/keys.txt") {
> >    next unless $_;
> >    $x .= "/$_";
> >    print STDERR "Test $x, " , (-e $x?"exists":"does not exist"), "\n";
> >  }
> >
> > And the output in the http error log for this 
> virtual user, (timestamp and other error log data stripped) was:
> >
> > AH01215: Trying to read /tmp/ramdisk/keys.txt
> > AH01215: Test /tmp, exists
> > AH01215: Test /tmp/ramdisk, does not exist
> > AH01215: Test /tmp/ramdisk/keys.txt, does not exist
> >
> > Using the "dir -l" command as root, I discover:
> >
> > dir -l / | grep tmp
> > drwxrwxrwt.  16 root root  4096 Nov 21 08:35 tmp
> >
> > dir -l /tmp | grep ramdisk
> > drwxrwxrwt  2 root root    140 Nov 21 08:35 ramdisk
> >
> > dir -l /tmp/ramdisk | grep keys.txt
> > -rw-r--r-- 1 user1 user1 11829 Nov 21 08:29 keys.txt
> >
> >
> > Any suggestions?
> >
>
>The httpd.servicce unit in c7 has:
>PrivateTmp=true
>
>Which means that Apache has its own private /tmp 
>namespace. So it’s probably working, just not where you expect.
>
>
>Don’t use /tmp in CGIs.
>
>(And don’t disable selinux, particularly for web apps)
>--
>Jonathan Billings


Jonathan
Thanks for the advice.  If you recommend NOT to 
use /tmp for cgi temporaries, where would you put 
them and how to name them?  And about SELINUX, 
I'll consider that, but I'd like to get this working without SELINUX first.

And where should I put "globally readable" 
files?  These files need to be readable by all 
users (including Apache), but writeable only by 
one user.  In the past, I've placed them in a Ram 
disk since I don't want them to survive a 
power--off, and mounted that "device" directory 
in /tmp/ramdisk.  It was working perfectly in 
Centos 5, 6 and 7, with Centos 7 failing within 
the past week or so.  I do "yum update" every night.

David