[Tutor] Permissions between Apache, Python cgi scripts and Unix Sockets
Stewart Lawton
jstewartlawton at yahoo.co.uk
Wed May 13 09:58:14 CEST 2015
From: Alan Gauld <alan.gauld at btinternet.com>
To: Stewart Lawton <jstewartlawton at yahoo.co.uk>; tutor <tutor at python.org>
Sent: Tuesday, 12 May 2015, 20:01
Subject: Re: my membership and access to the Tutor list
Forwarding to the list for comment.
Always use Reply All9Or Reply List if your mailer supports it)
when including the list members.
Alan G
On 12/05/15 11:24, Stewart Lawton wrote:
> Hi Alan
> I have worked though the file permissions cogniscent of your
> comments to see if I can find what
> is failing in apache access to a python created unix socket. Points 1)
> ,..., 12) give the results.
> In particular I do not understand how to set the user of uds_socket to
> apache or set the write permission of
> uds_socket group to rwx. I think that either change should enable
> successful operation, comments please!
> In answer to your other questions:
> I chose Unix Sockets since I had very similar access problems with IP
> sockets.
> I would like to remote control an embedded device from a laptop. The
> target will be Raspberrypi that in turn communicates to ARM Cortex M3
> devices that are capable of correct Nyquist sampling, that Unix based
> devices cannot guarantee. I chose Python since it is so widely used
> and I need to learn that language processor. I appreciate there are
> many ways other ways of achieving this end but I think this one ought
> to work!
> Many Thanks for your help,
> Stewart Lawton
>
> 1) /etc/httpd/conf/httpd.conf species the apache server user and group
> as:-
>
> # User/Group: The name (or #number) of the user/group to run httpd as.
> # It is usually good practice to create a dedicated user and group for
> # running httpd, as with most system services.
> #
> User apache
> Group apache
> 2)apache is started with command sudo ./startapache that contains:-
> systemctl start httpd.service
>
> 3) the process status of apache is found by command ps -el
> the following is taken from the status report:-
> F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD
> 4 S 0 2226 1 0 80 0 - 7493 poll_s ? 00:00:00 httpd
> 5 S 48 2227 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd
> 5 S 48 2228 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd
> 5 S 48 2229 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd
> 5 S 48 2230 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd
> 5 S 48 2233 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd
> 4) The user identity UID ,48,is used to find the user and group given
> in /etc/passwd :-
> apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
> The user and group identies are given as 48:48 so the user and group
> are apache and apache.
> 5)The above hopefully establishes that the server has permissions on
> user and groups named as apache.
> 6)I created a test directory at /test to be used to contain the file
> node uds_socket.
> drwxrwxr-x. 2 apache apache 4096 May 11 20:15 test
> 7) on starting the Socket server that listens for an incoming connection
> the new uds_socket is created with user and group permissions as shown:-
> srwxr-xr-x. 1 johnlawton apache 0 May 12 10:22 /test/uds_socket
> 8)I do not understand what function the s bit performs here.
> I note that group access cannot write the file.
> 9) When I execute the myUnix2.cgi script from /var/www/cgi_bin with
> johnlawton as user with primary group apache the script executes and
> the listening server responds correctly. I note johnlawton has rwx
> access but the group apache access is limited to r-x.
> 10) When the apache server executes the myUnix2.cgi script failure
> results in failing to access the socket.
> 11) Summary. I think the server fails as it can only get group access
> and group access is limited to
> r-x NO w permission.
> 12) How can I get UDS_Socket to be created with apache as user(hence
> allowing rwx) or enable apache group access with w permission?
>
>
>
> ------------------------------------------------------------------------
> *From:* Alan Gauld <alan.gauld at btinternet.com>
> *To:* Stewart Lawton <jstewartlawton at yahoo.co.uk>; tutor
> <tutor at python.org>
> *Sent:* Friday, 8 May 2015, 10:33
> *Subject:* Re: my membership and access to the Tutor list
>
> On 08/05/15 09:09, Stewart Lawton wrote:
> > Hi Alan
> > Thank you very much for your response to my Tutor at python.org
> <mailto:Tutor at python.org> question.
> > I thought my membership was complete and that I could log in to answer
> > your comments.
>
> The tutor list is a mailing list not a web forum. You don't login to
> answer
> comments you send an email reply. Use Reply to send to the individual
> (as you've just done with me) or, more usually, use ReplyAll (or ReplyList
> if your mail tool has that feature) to reply to everyone on the list.
>
> Use plain text to preserve code layout and use interleaved posting
> (as I'm doing here) rather than top-posting.
>
> > I found I could not login again. PLEASE can you help to get my
> > password reset?
>
> Only you can change the password, its purely web based. I only
> approve messages in the moderation queue, virtually nothing else.
> But the password just gives you access to your admin settings.
>
> > I think I am failing to understand what user and or group permissions
> > are required between apache python, and the python myUnix2.cgi program
> > I am using.
>
> OK, I'm no expert here but several things about your program
> have me puzzled.
>
> First remember that the web server will have its own user account
> and thus your code is effectively being run by another user. So any
> permissions on your files need to allow that user to have access.
> This is obviously a security risk and the reason its best not to have
> web programs accessing files in a users area but to copy any files
> needed into the web server space.
>
> > This program script is listed below, hopefully with spaces corrected
>
> Spacing is now legal, but you should increase the indentation to
> make it more readable. Consider 2 spaces as the absolute minimum,
> most people use 3 or 4. If you ever submit code to the Python
> standard library it must use 4 spaces. One space makes the
> indentation hard to line up and almost defeats the point of
> having it.
>
> > path to uds_socket corrected as Felix Dietricl suggested may be and
> Issue.
>
>
> > 1) From my user directory I issued the script Unix2.cgi to
> > a listening Unix sockets server and this worked OK.
> > 2) the permissions of Unix2.cgi are:-
> > -rwxrwxrwx. 1 johnlawton johnlawton 987 May 7 17:55 myUnix2.cgi
> > This is not good from security but surely proves the script can
> execute if
> > permissions are not considered.
> > 3)This file is copied to the apache cgi directory /var/www/cgi-bin
> > with the permissions
> > forced as
> > -rwxrwxrwx. 1 johnlawton johnlawton 987 May 7 18:19
> > ../../../var/www/cgi-bin/myUnix2.cgi
> > 4) Execution of the cgi script directly works OK.
>
> OK, Permissions of the cgi script are not critical they just need to be
> executable to the web server. So you could have ---r-xrwx and it should
> be more secure and work OK. What is important is that you change
> ownership to whatever the apache user account is (local config, I can't
> help there you'll need to look at the files).
>
> > 5) http is enabled in the fedora firewall
> > 6)The apache server is started using sudo systemctl start httpd.service.
> > When firefox is used to have Unix2.cgi executed the localhost receives
> > the following error report.
> >
> > Traceback (most recent call last):
> >
> > File "/var/www/cgi-bin/myUnix2.cgi", line 37, in <module>
> > creSockettoServer()
> > File "/var/www/cgi-bin/myUnix2.cgi", line 26, in creSockettoServer
> > sys.exit(1)
> > SystemExit: 1
> >
> > 7) The copy process of myUnix2.cgi from my user directory to
> > /var/www/cgi-bin
> > but setting user and group to root with full permissions results in
> > -rwxrwxrwx. 1 root root 987 May 7 18:45
> > ../../../var/www/cgi-bin/myUnix2.cgi
>
> OK, But I sincerely hope the web server is NOT running as root, that
> would be
> a security disaster and a crackers paradise!
>
> > 8)When firefox is used to have Unix2.cgi executed the localhost
> > receives the
> > same error report given under 6).
> > 9) summary since the 'o' permissions are forced to rwx the script
> > should execute
> > no matter what use group are specified?
> > 10) How do I establish neccessary cgi permissions?
> The problems are not with your script but with the socket you are
> trying to
> create, or the path to it. Its those permissions that likely need to be
> changed.
>
>
>
> > #!/usr/bin/env python
> > import cgi
> > import socket
> > import sys
> > def htmlTop():
> > print("""Content-type:text/html\n\n
> > <DOCTYPE html>
> > <html lang="en">
> > <head>
> > <meta charset="utf-8" />
> > <title> MyServer Template </title>
> > </head>
> > <body>""")
> >
> > def htmlTail():
> > print("""<body/>
> > </html> """ )
> >
> > def creSockettoServer():
> > sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
> > server_address = '/home/johnlawton/workspace/myUnixSock/uds_socket'
>
>
> I confess I've never used a socket like this, indeed I was only
> vaguely aware of their existence! I assume you have previous
> experience of using UNIX domain sockets (in C?) since there
> is relatively little tutorial help out there.
>
> I've always used sockets for IP and given an IP address to the socket.
> So I can only guess what's going on in your case. Can I ask what you
> are trying to do in your program that you need UNIX sockets? Just curious.
> Also one thing that occurs to me - have you made sure the socket file
> is being deleted each time before you run the program? An existing
> socket file may well cause your problems.
>
> Back to the issue at hand...
> Can you write a simpler CGI script that just prints data or similar?
> That way you can check that your CGI setup is working first
> and then focus on the issue of opening the socket. I'm a big believer
> in solving one problem at a time.
>
> In fact you could then write a second script that reads your socket
> folder and prints a dir listing using os.listdir() or glob() or similar to
> prove basic access is OK. It might also print some info about the
> user so that you know which account is running your scripts.
>
> Armed with that information you can then tackle the issue of
> creating your socket file.
>
> I've CCd the list so that others can contribute too.
>
> --
> Alan G
> Author of the Learn to Program web site
> http://www.alan-g.me.uk/
> http://www.amazon.com/author/alan_gauld
> Follow my photo-blog on Flickr at:
> http://www.flickr.com/photos/alangauldphotos
>
>
>
>
--
Alan G
Author of the Learn to Program web site
http://www.alan-g.me.uk/
http://www.amazon.com/author/alan_gauld
Follow my photo-blog on Flickr at:
http://www.flickr.com/photos/alangauldphotos
More information about the Tutor
mailing list