Re: Serious Privileges Problem: Please Help :: ASPN Mail Archive

Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming
MyASPN >> Mail Archive >> python-list
python-list
Re: Serious Privileges Problem: Please Help
by Rami Chowdhury other posts by this author
Nov 8 2009 2:51AM messages near this date
Re: Serious Privileges Problem: Please Help | ANN: esky 0.2.1
On Saturday 07 November 2009 23:59:23 Victor Subervi wrote:
>  restorecon didn't change ls -lZ output

Did the suggested changes to the Apache configuration help at all?

>  Can you give me the exact command for chcon? It complains there are too few
>  arguments, and I couldn't figure it out.

For chcon, you probably want the 'unconfined_u' user setting, the 'object_r' 
role setting, and the 'httpd_sys_content_t' type setting. As 'chcon --help' 
tells us, you need to call it as follows:

chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...

Of course, here FILE can also be a directory, or the root of a directory tree, 
and the -R option will make chcon run recursively. 

>  Does this really matter? I moved the selinux folder and its contents as
>   well as sent an "echo 0>..." command to kill it. 

I'm not certain -- have you tried confirming through programs such as system-
config-securitylevel that it's off?

>   Furthermore,
>  [root@13gems global_solutions]# ps wax|grep selinux
>  17645 pts/0    S+     0:00 grep selinux

SELinux is a kernel subsystem -- it won't show up in the process list.

>  Please advise.
>  V
>  
>  On Sat, Nov 7, 2009 at 5:49 PM, Rami Chowdhury 
<rami.chowdhury@[...].com> wrote:
>  > On Saturday 07 November 2009 13:51:06 Victor Subervi wrote:
>  > > httpd.conf:
>  > >
>  > > <VirtualHost *:80>
>  > > ServerAdmin me@[...].vi
>  > > DocumentRoot /var/www/html/angrynates.com
>  > > ServerName angrynates.com
>  > > Options +ExecCGI -IncludesNoExec
>  > > <Directory /var/www/html/angrynates.com/global_solutions/*>
>  >
>  > You may want to change this to:
>  >         <Directory /var/www/html/angrynates.com/global_solutions>
>  >
>  > If you want regular expression syntax, I would advise using the syntax
>  >        <Directory ~ EXPRESSION>
>  > or
>  >        <DirectoryMatch ~ EXPRESSION>
>  >
>  > > #ls -lZ
>  > > drwxr-xr-x  root root                                  1024
>  > > drwxr-xr-x  root root                                  1132
>  > > drwxr-xr-x  root root                                  1255
>  >
>  > [snip]
>  >
>  > It looks like you don't have *any* SELinux context information; if
>  > SELinux is
>  > on, this will cause problems. Try using the 'restorecon' command to put
>  > the defaults in place, and consider using 'chcon' to change the security
>  > context
>  > to an appropriate one (I believe you want something like
>  > 'unconfined_u:object_r:httpd_sys_content_t' for Apache content).
>  >
>  > > On Sat, Nov 7, 2009 at 4:09 PM, Rami Chowdhury
>  >
>  > <rami.chowdhury@[...].com>wrote:
>  > > > On Saturday 07 November 2009 06:13:11 Victor Subervi wrote:
>  > > > > I have a serious privileges problem that is making it impossible to
>  > > > > serve python pages on a CentOS server. It appears that nobody on
>  > > > > the CentOS discussion list has a solution to this problem. I'm
>  > > > > desperate and hoping someone on this list can help.
>  > > > >
>  > > > > [Fri Nov 06 11:50:40 2009] [error] [client 66.248.168.98] (2)No
>  > > > > such file or directory: exec of
>  > > > >  '/var/www/html/angrynates.com/global_solutions/index.py' failed,
>  > > >
>  > > > referer:
>  > > > >  http://angrynates.com/global_solutions/
>  > > > > [Fri Nov 06 11:50:40 2009] [error] [client 66.248.168.98] Premature
>  >
>  > end
>  >
>  > > > of
>  > > >
>  > > > > script headers: index.py, referer:
>  > > >
>  > > > http://angrynates.com/global_solutions/
>  > > >
>  > > > > Now, the file does exist:
>  > > > >
>  > > > > [root@13gems global_solutions]# pwd
>  > > > > /var/www/html/angrynates.com/global_solutions
>  > > > > [root@13gems global_solutions]# ls
>  > > > > ....
>  > > > > -rwxr-xr-x 1 victor victor 275 Nov 6 07:05 index.py
>  > > > > ....
>  > > > > and it serves just fine on another server, so there is no
>  > > > > "premature end
>  > > >
>  > > > of
>  > > >
>  > > > > script headers".
>  > > > >
>  > > > >
>  > > > > Here's where it gets really weird. If I copy the code for index.py
>  >
>  > and
>  >
>  > > > > template.py which the former calls, and create files test.py and
>  > > > > test2.py and paste the code from the former files in those new
>  > > > > files changing only the import statement from "template" to
>  > > > > "test2", the tests will resolve!! Now, the ownership and mode are
>  > > > > identical on all of them!!
>  > > > >
>  > > > >
>  > > > > [root@13gems global_solutions]# ls -al | grep test.py
>  > > > > -rwxr-xr-x 1 root root 298 Nov 6 12:24 test.py
>  > > > > [root@13gems global_solutions]# ls -al | grep test2.py
>  > > > > -rwxr-xr-x 1 root root 5716 Nov 6 12:25 test2.py
>  > > > > [root@13gems global_solutions]# ls -al | grep index.py
>  > > > > -rwxr-xr-x 1 root root 316 Nov 6 07:05 index.py
>  > > > > [root@13gems global_solutions]# ls -al | grep template.py
>  > > > > -rwxr-xr-x 1 root root 5806 Nov 6 07:06 template.py
>  > > > > -rwxr-xr-x 1 root root 6093 Nov 6 07:06 template.pyc
>  > > > >
>  > > > > where test.py is identical to index.py (other than the necessary
>  > > > > import) and template is identical to test2.py
>  > > > >
>  > > > >
>  > > > > fixfiles relabel /var/www/html
>  > > > > # might just work
>  > > > > It didn't
>  > > > >
>  > > > > touch /.autorelabel
>  > > > > # and then reboot will relabel all copied files to the correct
>  >
>  > contexts
>  >
>  > > > for
>  > > >
>  > > > > the location
>  > > > > I rebooted apache with no luck
>  > > > >
>  > > > > or you could turn off SELinux and reboot
>  > > > > I did that and the following two solutions with no luck:
>  > > > > echo 0 >/selinux/enforce
>  > > > >
>  > > > > [root@13gems ~]# cd /etc/
>  > > > > [root@13gems etc]# mv selinux/ selinux.BAK
>  > > > > [root@13gems etc]# mkdir selinux
>  > > > > [root@13gems etc]# echo 0>/selinux/enforce
>  > > > >
>  > > > > ...and the problem continues:
>  > > > > [root@13gems etc]# tail /var/log/httpd/error_log
>  > > > > [Fri Nov 06 12:51:49 2009] [error] [client 66.248.168.98] Premature
>  >
>  > end
>  >
>  > > > of
>  > > >
>  > > > > script headers: index.py, referer:
>  > > >
>  > > > http://angrynates.com/global_solutions/
>  > > >
>  > > > > [Fri Nov 06 12:56:18 2009] [error] [client 66.248.168.98] (2)No
>  > > > > such file or directory: exec of
>  > > > >  '/var/www/html/angrynates.com/global_solutions/index.py' failed,
>  > > >
>  > > > referer:
>  > > > >  http://angrynates.com/global_solutions/
>  > > > > [Fri Nov 06 12:56:18 2009] [error] [client 66.248.168.98] Premature
>  >
>  > end
>  >
>  > > > of
>  > > >
>  > > > > script headers: index.py, referer:
>  > > >
>  > > > http://angrynates.com/global_solutions/
>  > > >
>  > > > > [Fri Nov 06 12:56:20 2009] [error] [client 67.96.172.81] (2)No such
>  > > > > file
>  > > >
>  > > > or
>  > > >
>  > > > > directory: exec of '/var/www/html/
>  > > >
>  > > > angrynates.com/global_solutions/index.py'
>  > > >
>  > > > > failed
>  > > > > [Fri Nov 06 12:56:20 2009] [error] [client 67.96.172.81] Premature
>  >
>  > end
>  >
>  > > > > of script headers: index.py
>  > > > > [Fri Nov 06 13:52:15 2009] [error] [client 66.249.67.153] File does
>  >
>  > not
>  >
>  > > > > exist: /var/www/html/angrynates.com/robots.txt
>  > > > > [Fri Nov 06 13:52:52 2009] [error] [client 208.84.198.58] (2)No
>  > > > > such file or directory: exec of
>  > > > >  '/var/www/html/angrynates.com/global_solutions/index.py' failed,
>  > > >
>  > > > referer:
>  > > > >  http://angrynates.com/global_solutions/
>  > > > > [Fri Nov 06 13:52:52 2009] [error] [client 208.84.198.58] Premature
>  >
>  > end
>  >
>  > > > of
>  > > >
>  > > > > script headers: index.py, referer:
>  > > >
>  > > > http://angrynates.com/global_solutions/
>  > > >
>  > > > > [Fri Nov 06 13:52:52 2009] [error] [client 208.84.198.58] File does
>  >
>  > not
>  >
>  > > > > exist: /var/www/html/angrynates.com/favicon.ico
>  > > > > [Fri Nov 06 13:52:53 2009] [error] [client 208.84.198.58] File does
>  >
>  > not
>  >
>  > > > > exist: /var/www/html/angrynates.com/favicon.ico
>  > > > > [root@13gems etc]#
>  > > > >
>  > > > > Please help.
>  > > > > Victor
>  > > >
>  > > > Can we see the output of 'ls -lZ' and 'fixfiles check' on those
>  > > > directories,
>  > > > and see what the Apache (httpd.conf or .htaccess) configuration is
>  > > > for them?
>  > > >
>  > > > ----
>  > > > Rami Chowdhury
>  > > > "Passion is inversely proportional to the amount of real information
>  > > > available." -- Benford's Law of Controversy
>  > > > 408-597-7068 (US) / 07875-841-046 (UK) / 0189-245544 (BD)
>  >
>  > ----
>  > Rami Chowdhury
>  > "Strangers are just friends who haven't had enough gin." -- Howdle's
>  > Saying 408-597-7068 (US) / 07875-841-046 (UK) / 0189-245544 (BD)
>  


----
Rami Chowdhury
"A man with a watch knows what time it is. A man with two watches is never 
sure". -- Segal's Law
408-597-7068 (US) / 07875-841-046 (UK) / 0189-245544 (BD)
-- 
http://mail.python.org/mailman/listinfo/python-list