Serious Privileges Problem: Please Help

Rami Chowdhury rami.chowdhury at gmail.com
Sun Nov 8 11:49:54 CET 2009


On Saturday 07 November 2009 23:59:23 Victor Subervi wrote:
> restorecon didn't change ls -lZ output

Did the suggested changes to the Apache configuration help at all?

> Can you give me the exact command for chcon? It complains there are too few
> arguments, and I couldn't figure it out.

For chcon, you probably want the 'unconfined_u' user setting, the 'object_r' 
role setting, and the 'httpd_sys_content_t' type setting. As 'chcon --help' 
tells us, you need to call it as follows:

chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...

Of course, here FILE can also be a directory, or the root of a directory tree, 
and the -R option will make chcon run recursively. 

> Does this really matter? I moved the selinux folder and its contents as
>  well as sent an "echo 0>..." command to kill it. 

I'm not certain -- have you tried confirming through programs such as system-
config-securitylevel that it's off?

>  Furthermore,
> [root at 13gems global_solutions]# ps wax|grep selinux
> 17645 pts/0    S+     0:00 grep selinux

SELinux is a kernel subsystem -- it won't show up in the process list.

> Please advise.
> V
> 
> On Sat, Nov 7, 2009 at 5:49 PM, Rami Chowdhury 
<rami.chowdhury at gmail.com>wrote:
> > On Saturday 07 November 2009 13:51:06 Victor Subervi wrote:
> > > httpd.conf:
> > >
> > > <VirtualHost *:80>
> > > ServerAdmin me at creative.vi
> > > DocumentRoot /var/www/html/angrynates.com
> > > ServerName angrynates.com
> > > Options +ExecCGI -IncludesNoExec
> > > <Directory /var/www/html/angrynates.com/global_solutions/*>
> >
> > You may want to change this to:
> >         <Directory /var/www/html/angrynates.com/global_solutions>
> >
> > If you want regular expression syntax, I would advise using the syntax
> >        <Directory ~ EXPRESSION>
> > or
> >        <DirectoryMatch ~ EXPRESSION>
> >
> > > #ls -lZ
> > > drwxr-xr-x  root root                                  1024
> > > drwxr-xr-x  root root                                  1132
> > > drwxr-xr-x  root root                                  1255
> >
> > [snip]
> >
> > It looks like you don't have *any* SELinux context information; if
> > SELinux is
> > on, this will cause problems. Try using the 'restorecon' command to put
> > the defaults in place, and consider using 'chcon' to change the security
> > context
> > to an appropriate one (I believe you want something like
> > 'unconfined_u:object_r:httpd_sys_content_t' for Apache content).
> >
> > > On Sat, Nov 7, 2009 at 4:09 PM, Rami Chowdhury
> >
> > <rami.chowdhury at gmail.com>wrote:
> > > > On Saturday 07 November 2009 06:13:11 Victor Subervi wrote:
> > > > > I have a serious privileges problem that is making it impossible to
> > > > > serve python pages on a CentOS server. It appears that nobody on
> > > > > the CentOS discussion list has a solution to this problem. I'm
> > > > > desperate and hoping someone on this list can help.
> > > > >
> > > > > [Fri Nov 06 11:50:40 2009] [error] [client 66.248.168.98] (2)No
> > > > > such file or directory: exec of
> > > > >  '/var/www/html/angrynates.com/global_solutions/index.py' failed,
> > > >
> > > > referer:
> > > > >  http://angrynates.com/global_solutions/
> > > > > [Fri Nov 06 11:50:40 2009] [error] [client 66.248.168.98] Premature
> >
> > end
> >
> > > > of
> > > >
> > > > > script headers: index.py, referer:
> > > >
> > > > http://angrynates.com/global_solutions/
> > > >
> > > > > Now, the file does exist:
> > > > >
> > > > > [root at 13gems global_solutions]# pwd
> > > > > /var/www/html/angrynates.com/global_solutions
> > > > > [root at 13gems global_solutions]# ls
> > > > > ....
> > > > > -rwxr-xr-x 1 victor victor 275 Nov 6 07:05 index.py
> > > > > ....
> > > > > and it serves just fine on another server, so there is no
> > > > > "premature end
> > > >
> > > > of
> > > >
> > > > > script headers".
> > > > >
> > > > >
> > > > > Here's where it gets really weird. If I copy the code for index.py
> >
> > and
> >
> > > > > template.py which the former calls, and create files test.py and
> > > > > test2.py and paste the code from the former files in those new
> > > > > files changing only the import statement from "template" to
> > > > > "test2", the tests will resolve!! Now, the ownership and mode are
> > > > > identical on all of them!!
> > > > >
> > > > >
> > > > > [root at 13gems global_solutions]# ls -al | grep test.py
> > > > > -rwxr-xr-x 1 root root 298 Nov 6 12:24 test.py
> > > > > [root at 13gems global_solutions]# ls -al | grep test2.py
> > > > > -rwxr-xr-x 1 root root 5716 Nov 6 12:25 test2.py
> > > > > [root at 13gems global_solutions]# ls -al | grep index.py
> > > > > -rwxr-xr-x 1 root root 316 Nov 6 07:05 index.py
> > > > > [root at 13gems global_solutions]# ls -al | grep template.py
> > > > > -rwxr-xr-x 1 root root 5806 Nov 6 07:06 template.py
> > > > > -rwxr-xr-x 1 root root 6093 Nov 6 07:06 template.pyc
> > > > >
> > > > > where test.py is identical to index.py (other than the necessary
> > > > > import) and template is identical to test2.py
> > > > >
> > > > >
> > > > > fixfiles relabel /var/www/html
> > > > > # might just work
> > > > > It didn't
> > > > >
> > > > > touch /.autorelabel
> > > > > # and then reboot will relabel all copied files to the correct
> >
> > contexts
> >
> > > > for
> > > >
> > > > > the location
> > > > > I rebooted apache with no luck
> > > > >
> > > > > or you could turn off SELinux and reboot
> > > > > I did that and the following two solutions with no luck:
> > > > > echo 0 >/selinux/enforce
> > > > >
> > > > > [root at 13gems ~]# cd /etc/
> > > > > [root at 13gems etc]# mv selinux/ selinux.BAK
> > > > > [root at 13gems etc]# mkdir selinux
> > > > > [root at 13gems etc]# echo 0>/selinux/enforce
> > > > >
> > > > > ...and the problem continues:
> > > > > [root at 13gems etc]# tail /var/log/httpd/error_log
> > > > > [Fri Nov 06 12:51:49 2009] [error] [client 66.248.168.98] Premature
> >
> > end
> >
> > > > of
> > > >
> > > > > script headers: index.py, referer:
> > > >
> > > > http://angrynates.com/global_solutions/
> > > >
> > > > > [Fri Nov 06 12:56:18 2009] [error] [client 66.248.168.98] (2)No
> > > > > such file or directory: exec of
> > > > >  '/var/www/html/angrynates.com/global_solutions/index.py' failed,
> > > >
> > > > referer:
> > > > >  http://angrynates.com/global_solutions/
> > > > > [Fri Nov 06 12:56:18 2009] [error] [client 66.248.168.98] Premature
> >
> > end
> >
> > > > of
> > > >
> > > > > script headers: index.py, referer:
> > > >
> > > > http://angrynates.com/global_solutions/
> > > >
> > > > > [Fri Nov 06 12:56:20 2009] [error] [client 67.96.172.81] (2)No such
> > > > > file
> > > >
> > > > or
> > > >
> > > > > directory: exec of '/var/www/html/
> > > >
> > > > angrynates.com/global_solutions/index.py'
> > > >
> > > > > failed
> > > > > [Fri Nov 06 12:56:20 2009] [error] [client 67.96.172.81] Premature
> >
> > end
> >
> > > > > of script headers: index.py
> > > > > [Fri Nov 06 13:52:15 2009] [error] [client 66.249.67.153] File does
> >
> > not
> >
> > > > > exist: /var/www/html/angrynates.com/robots.txt
> > > > > [Fri Nov 06 13:52:52 2009] [error] [client 208.84.198.58] (2)No
> > > > > such file or directory: exec of
> > > > >  '/var/www/html/angrynates.com/global_solutions/index.py' failed,
> > > >
> > > > referer:
> > > > >  http://angrynates.com/global_solutions/
> > > > > [Fri Nov 06 13:52:52 2009] [error] [client 208.84.198.58] Premature
> >
> > end
> >
> > > > of
> > > >
> > > > > script headers: index.py, referer:
> > > >
> > > > http://angrynates.com/global_solutions/
> > > >
> > > > > [Fri Nov 06 13:52:52 2009] [error] [client 208.84.198.58] File does
> >
> > not
> >
> > > > > exist: /var/www/html/angrynates.com/favicon.ico
> > > > > [Fri Nov 06 13:52:53 2009] [error] [client 208.84.198.58] File does
> >
> > not
> >
> > > > > exist: /var/www/html/angrynates.com/favicon.ico
> > > > > [root at 13gems etc]#
> > > > >
> > > > > Please help.
> > > > > Victor
> > > >
> > > > Can we see the output of 'ls -lZ' and 'fixfiles check' on those
> > > > directories,
> > > > and see what the Apache (httpd.conf or .htaccess) configuration is
> > > > for them?
> > > >
> > > > ----
> > > > Rami Chowdhury
> > > > "Passion is inversely proportional to the amount of real information
> > > > available." -- Benford's Law of Controversy
> > > > 408-597-7068 (US) / 07875-841-046 (UK) / 0189-245544 (BD)
> >
> > ----
> > Rami Chowdhury
> > "Strangers are just friends who haven't had enough gin." -- Howdle's
> > Saying 408-597-7068 (US) / 07875-841-046 (UK) / 0189-245544 (BD)
> 


----
Rami Chowdhury
"A man with a watch knows what time it is. A man with two watches is never 
sure". -- Segal's Law
408-597-7068 (US) / 07875-841-046 (UK) / 0189-245544 (BD)



More information about the Python-list mailing list