File Access In Apache 2.4 (clarification)

Home » CentOS » File Access In Apache 2.4 (clarification)
CentOS 5 Comments

Folks

I’m having file-access problems in Apache 2.4 under CentOS 7. In particular:

– I have a file that’s readable to every user and every application,
(writeable by only one user), but my CGI scripts cannot read it.

– Some of my CGI scripts need temporary storage for some files. They are, for example, some internal log files, tnat get cleaned up over time, but I want to be able to look at them (as root). Where would you suggest they be placed? I’ve tried /tmp/my_private_files/, and
/var/tmp/my_private_files/, but Apache fails to find even the directory.

Here’s some extra information SELINUX is disabled.

I modified my CGI script to report where in the path to
/tmp/my_private_files/temp_log.log the process failed. The Perl code I ran is:

my $x = “”;
print STDERR “Trying to read /tmp/ramdisk/keys.txt\n”;
for (split /\//, “/tmp/ramdisk/keys.txt”) {
next unless $_;
$x .= “/$_”;
print STDERR “Test $x, ” , (-e $x?”exists”:”does not exist”), “\n”;
}

And the output in the http error log for this virtual user,
(timestamp and other error log data stripped) was:

AH01215: Trying to read /tmp/ramdisk/keys.txt AH01215: Test /tmp, exists AH01215: Test /tmp/ramdisk, does not exist AH01215: Test /tmp/ramdisk/keys.txt, does not exist

Using the “dir -l” command as root, I discover:

dir -l / | grep tmp
drwxrwxrwt. 16 root root 4096 Nov 21 08:35 tmp

dir -l /tmp | grep ramdisk
drwxrwxrwt 2 root root 140 Nov 21 08:35 ramdisk

dir -l /tmp/ramdisk | grep keys.txt
-rw-r–r– 1 user1 user1 11829 Nov 21 08:29 keys.txt

Any suggestions?

PS: CentOS 6 had no such problems, and the file locations worked just fine.

David

5 thoughts on - File Access In Apache 2.4 (clarification)

  • The httpd.servicce unit in c7 has:
    PrivateTmp=true

    Which means that Apache has its own private /tmp namespace. So it’s probably working, just not where you expect.

    Don’t use /tmp in CGIs.

    (And don’t disable selinux, particularly for web apps)

    Jonathan Billings

  • At 09:24 AM 11/21/2017, Jonathan Billings wrote:

    Jonathan Thanks for the advice. If you recommend NOT to use /tmp for cgi temporaries, where would you put them and how to name them? And about SELINUX, I’ll consider that, but I’d like to get this working without SELINUX first.

    And where should I put “globally readable”
    files? These files need to be readable by all users (including Apache), but writeable only by one user. In the past, I’ve placed them in a Ram disk since I don’t want them to survive a power–off, and mounted that “device” directory in /tmp/ramdisk. It was working perfectly in CentOS 5, 6 and 7, with CentOS 7 failing within the past week or so. I do “yum update” every night.

    David

  • Yeah, https://stopdisablingselinux.com/

    Also, you *could* run “systemctl edit httpd.service” and enter two lines:

    [Service]
    PrivateTmp=false

    … if you specifically need to share /tmp.  The alternative is probably to mount a new tmpfs to a new directory somewhere under /var/lib for globally shared ephemeral files.

  • Ha-ha! I like it!

    Does anybody remember LIDS:

    https://en.wikipedia.org/wiki/Linux_Intrusion_Detection_System

    The name is a bit deceptive. In short, LIDS is Linux kernel patch that
    (roughly speaking) does the following: after boot process finishes, and all services have been started root user is demoted to user nobody ;-) You can only do administration on cold powered off system – i.e. off line. Alas, LIDS didn’t make into main stream kernel. Its competitor (?) SElinux made it instead, and SElinux is child’s play compared to LIDS IMHO… Every time SElinux is mentioned in one respect or another it makes my day, as I remember LIDS ;-)

    I hope, someone has few loughs with me here.

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Does it need to be writable by CGI scripts run by httpd? Then put it in one of the directories that is automatically labeled httpd_sys_rw_content_t by selinux. (man httpd_selinux shows those, you can also run ‘semanage fcontext -l | grep httpd_sys_rw_content_t’)

    Hopefully, it isn’t both writable *and* executable by httpd, because that’s just a bad idea, and selinux tries its hardest to prevent it.

    Otherwise, if httpd just needs to read the file, choose one of the directories with one of the read-only labels.

    The reason why this started happening in the latest C7 release is because the unit file (as well as many others) was updated to have a PrivateTmp, which is an additional security measure, since one of the most common ways of attacking a system is to try to hit shared files in locations like /tmp.