Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,284
    Rep Power
    13

    Apache and suexec issue that wont let me run my python script


    i want to test a python script i made online online and i receive this message:

    Code:
    [Thu May 30 15:29:33 2013] [error] [client 46.12.46.11] suexec failure: could not open log file 
    [Thu May 30 15:29:33 2013] [error] [client 46.12.46.11] fopen: Permission denied 
    [Thu May 30 15:29:33 2013] [error] [client 46.12.46.11] Premature end of script headers: koukos.py 
    [Thu May 30 15:29:33 2013] [error] [client 46.12.46.11] File does not exist: /home/nikos/public_html/500.shtml
    when i tail -F /usr/local/apache/logs/error_log &

    What this error means?

    It appears that the effective user of the script does not have permission to open the log file
    that the suexec call requires.
    - fopen reported "permission denied", presumably on the logfile
    - suexec, receiving the fopen "permission denied" error, reported "could not open log file"

    These errors, in turn, seem to have prematurely terminated the script headers that i use in
    koukos.py script, causing the koukos.py script to fail. This caused apache to report (with a generic
    and inappropriate error message) that the shtml file that invokes the script failed.

    i had:
    chown nikos:nikos ./koukos.py
    chmod 755 ./koukos.py

    but the problem still remains.
    suexec is not getting as far as running
    the script. I need to study the local
    configuration, to discover why suexec is being used when i donít want it to be.

    Can someone please look into this because iam unexperienced with these types of issues?

    --
    Webhost
    Last edited by Nik; May 31st, 2013 at 09:12 AM.
    What is now proved was once only imagined!
  2. #2
  3. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,122
    Rep Power
    9398
    Do you have SELinux? As a test can you disable it? Also make sure the log file is writable: likely that it exists and is writable by the apache user/group.
  4. #3
  5. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,284
    Rep Power
    13
    Hello requinix, how are you?

    i just know i rend a VPS runnign CentOS 6.4 as seen from this:

    root@nikos [/]# uname -a
    Linux nikos.superhost.gr 2.6.32-042stab075.2 #1 SMP Tue May 14 20:38:14 MSK 2013 x86_64 x86_64 x86_64 GNU/Linux

    Please give me precise info what command i should issue to fix this. thank you!

    Also, i just tried chown root:root ./koukos.py bu still tail gives me:

    [Fri May 31 21:16:04 2013] [error] [client 46.12.46.11] suexec policy violation: see suexec log for more details
    [Fri May 31 21:16:04 2013] [error] [client 46.12.46.11]

    Premature end of script headers: koukos.py

    What is this suexec anyway and how to get rid of it?
    Last edited by Nik; May 31st, 2013 at 01:17 PM.
    What is now proved was once only imagined!
  6. #4
  7. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,122
    Rep Power
    9398
    suexec is good. Keep it and work within its restrictions. And chown the file back to you.

    - Disabling SELinux. Make it Permissive actually, not completely disabled.
    - There's a log file for suexec somewhere in /var/log. I cannot tell you where exactly but it'll be obvious when you find it.
    - Is that file writable by the apache user and/or group?
  8. #5
  9. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,284
    Rep Power
    13
    I dont know how to perform these action you asked me to do.
    I dont even know what SELinux is.

    Can i please provide you with root access to my VPS to take a look at these things please?

    I trust you. Please accept.
    What is now proved was once only imagined!
  10. #6
  11. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,284
    Rep Power
    13
    I host 10 peoples websites in my VPS and iam worried to not make something stupid.
    What is now proved was once only imagined!
  12. #7
  13. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,122
    Rep Power
    9398
    I've only told you two actions: one is un-chowning the file, which I know you know how to do because you chowned it in the first place, and the other is setting SELinux to permissive mode, which I gave you a link to click on to see how to do that.

    And no, I can't do it for you. If you're the one who has to administer this server then you need to learn how to administer the server.
  14. #8
  15. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,284
    Rep Power
    13
    ok i will try.

    what is suexec anyways? i read a bit about it bu didnt understand its use for...
    What is now proved was once only imagined!
  16. #9
  17. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,122
    Rep Power
    9398
    It allows Apache to run scripts as a different user than itself.
  18. #10
  19. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,284
    Rep Power
    13
    Originally Posted by requinix
    It allows Apache to run scripts as a different user than itself.
    And how is that usefull? Why shouldnt Apacher daemon shoudlnt run the python script as Apacher user but as for someone else isntead?

    And what excatly is the problem in my case?
    What is now proved was once only imagined!
  20. #11
  21. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,122
    Rep Power
    9398
    Because the Apache user is/should be very restricted in what it can do - read some files, write to a couple places, but that's all - while user scripts may need more privileges.

    Take uploads as an example. With normal running your script will run as the Apache user, but to copy files to a directory Apache needs write permissions. Anybody else on that machine running a script through Apache can then write to that directory too.
    With something like suexec your scripts will run as your user so the directory can stay write-only-by-you.

    In your case the problem is something I don't know because you've yet to follow through on the things I've asked you to do.
  22. #12
  23. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,284
    Rep Power
    13
    Okey here it is:

    Code:
    root@nikos [~]# /usr/local/apache/bin/suexec -V
     -D AP_DOC_ROOT="/"
     -D AP_GID_MIN=100
     -D AP_HTTPD_USER="nobody"
     -D AP_LOG_EXEC="/usr/local/apache/logs/suexec_log"
     -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
     -D AP_UID_MIN=100
     -D AP_USERDIR_SUFFIX="public_html"
    root@nikos [~]# ls -l /usr/local/apache/logs/suexec_log
    -rw-r--r-- 1 root nobody 505948 Jun  1 01:35 /usr/local/apache/logs/suexec_log
    root@nikos [~]# chown apache:apache /usr/local/apache/logs/suexec_log
    root@nikos [~]# tail -F /usr/local/apache/logs/error_log 
    
    [Sat Jun 01 01:48:56 2013] [error] [client 46.12.46.11] suexec failure: could not open log file
    [Sat Jun 01 01:48:56 2013] [error] [client 46.12.46.11] fopen: Permission denied
    [Sat Jun 01 01:48:56 2013] [error] [client 46.12.46.11] Premature end of script headers: koukos.py
    [Sat Jun 01 01:48:56 2013] [error] [client 46.12.46.11] File does not exist: /home/nikos/public_html/500.shtml
    just when i http://superhost.gr/cgi-bin/koukos.py

    the python script is surely correct because
    python3 koukos.py produces valid output.
    its when i try to run it via browser tht has this problem with the suexec log.

    should i retstart apache in order to see it?
    What is now proved was once only imagined!
  24. #13
  25. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,122
    Rep Power
    9398
    You have AP_HTTPD_USER as "nobody" but Apache is running as "apache"? AP_HTTPD_USER needs to be set to that same username.
  26. #14
  27. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,284
    Rep Power
    13
    What is this directive AP_HTTPD_USER ?

    how do i setAP_HTTPD_USER to "apache" also?

    Was it correct to do:

    root@nikos [~]# chown apache:apache /usr/local/apache/logs/suexec_log

    before it was root:nobody
    What is now proved was once only imagined!
  28. #15
  29. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,284
    Rep Power
    13
    Code:
    -r-s--x--- 1 root apache 13984 Feb 22 13:21 /usr/sbin/suexec*
    root@nikos [/opt/python3/bin]# chown root:apache /usr/local/apache/logs/suexec_log
    root@nikos [/opt/python3/bin]# suexec -V
     -D AP_DOC_ROOT="/var/www"
     -D AP_GID_MIN=100
     -D AP_HTTPD_USER="apache"
     -D AP_LOG_EXEC="/var/log/httpd/suexec.log"
     -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
     -D AP_UID_MIN=500
     -D AP_USERDIR_SUFFIX="public_html"
    BUT the problem still remains the same.

    [Sat Jun 01 02:25:02 2013] [error] [client 46.12.46.11] suexec failure: could not open log file
    [Sat Jun 01 02:25:02 2013] [error] [client 46.12.46.11] fopen: Permission denied
    [Sat Jun 01 02:25:02 2013] [error] [client 46.12.46.11] Premature end of script headers: koukos.py
    [Sat Jun 01 02:25:02 2013] [error] [client 46.12.46.11] File does not exist: /home/nikos/public_html/500.shtml

    and i have tried also:

    root@nikos [/opt/python3/bin]# /etc/init.d/httpd restart
    [Sat Jun 01 02:27:57 2013] [warn] module rpaf_module is already loaded, skipping
    root@nikos [/opt/python3/bin]#
    What is now proved was once only imagined!
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo