Apache, mod_wsgi permission error
255 views
Skip to first unread message
Mike Archbold
Apr 26, 2020, 10:54:44 PM4/26/20
to modwsgi
Hi,
I have tried to understand the prior problems -- sorry, I can't figure it out from the priors. I'm a newbie to mod_wsgi and Apache trying to create a python server. I'm self-taught but totally stuck... thanks guys, at a dead end. It is something I am clueless about.
---------------------------------------
*** This is the guts of the config.d file:
Listen 80
<VirtualHost *:80>
DocumentRoot "/var/www/jsss/html"
ServerName localhost:80
WSGIDaemonProcess jsss processes=1 threads=1 display-name=%{GROUP} user=apache group=apache
WSGIProcessGroup jsss
WSGIScriptAlias / /var/www/jsss/jsss.wsgi
<Directory /var/www/jsss/>
Options All
Require all granted
</Directory>
</VirtualHost>
---------------------------------------------------------------
*** This is my main program, a single line, called from Apache, jsss_wsgi:
from jsss_flask_rest import app as application
---------------------------------------------------------------
*** this is the jsss_flask_rest program called from the single line jsss_wsgi:
from flask import Flask, request
from flask_restful import Resource, Api
import subprocess
import sys
import base64
import os
import getpass
app = Flask(__name__)
api = Api(app)
class jsss(Resource):
def get(self):
f = open("/var/www/jsss/openme","r+") <<<--- dies right here
username = getpass.getuser()
stdout_data = username
return {"output>": stdout_data}
api.add_resource(jsss, '/jsss')
if __name__ == '__main__':
app.run
from flask_restful import Resource, Api
import subprocess
import sys
import base64
import os
import getpass
app = Flask(__name__)
api = Api(app)
class jsss(Resource):
def get(self):
f = open("/var/www/jsss/openme","r+") <<<--- dies right here
username = getpass.getuser()
stdout_data = username
return {"output>": stdout_data}
api.add_resource(jsss, '/jsss')
if __name__ == '__main__':
app.run
---------------------------------------------------------------
*** these are the permissions I set up for the test "openme" file. The apache should have read access to root.
-rwxrwxrwx. 1 apache apache 4 Apr 26 20:35 openme
---------------------------------------------------------------
*** error from apache:
File "/usr/lib64/python3.6/site-packages/jsss_flask_rest.py", line 17, in get
[Sun Apr 26 22:01:31.063590 2020] [wsgi:error] [pid 14886:tid 140318833870592] [remote ::1:37856] f = open("/var/www/jsss/openme","r+")
[Sun Apr 26 22:01:31.063592 2020] [wsgi:error] [pid 14886:tid 140318833870592] [remote ::1:37856] PermissionError: [Errno 13] Permission denied: '/var/www/jsss/openme'
[Sun Apr 26 22:01:31.063590 2020] [wsgi:error] [pid 14886:tid 140318833870592] [remote ::1:37856] f = open("/var/www/jsss/openme","r+")
[Sun Apr 26 22:01:31.063592 2020] [wsgi:error] [pid 14886:tid 140318833870592] [remote ::1:37856] PermissionError: [Errno 13] Permission denied: '/var/www/jsss/openme'
-----------------------------------------------------------
*** error from Linux:
22:01:34 setroubleshootd: SELinux is preventing /usr/sbin/httpd from write access on the file openme.
***** Plugin httpd_write_content (92.2 confidence) suggests ***************
If you want to allow httpd to have write access on the openme file
Then you need to change the label on 'openme'
Do
# semanage fcontext -a -t httpd_sys_rw_content_t 'openme'
# restorecon -v 'openme'
***** Plugin catchall_boolean (7.83 confidence) suggests ******************
If you want to allow httpd to unified
Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.
Do
setsebool -P httpd_unified 1
***** Plugin catchall (1.41 confidence) suggests **************************
If you believe that httpd should be allowed write access on the openme file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp
***** Plugin httpd_write_content (92.2 confidence) suggests ***************
If you want to allow httpd to have write access on the openme file
Then you need to change the label on 'openme'
Do
# semanage fcontext -a -t httpd_sys_rw_content_t 'openme'
# restorecon -v 'openme'
***** Plugin catchall_boolean (7.83 confidence) suggests ******************
If you want to allow httpd to unified
Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.
Do
setsebool -P httpd_unified 1
***** Plugin catchall (1.41 confidence) suggests **************************
If you believe that httpd should be allowed write access on the openme file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp
Graham Dumpleton
Apr 26, 2020, 11:05:16 PM4/26/20
to mod...@googlegroups.com
And did you do anything to configure SELinux to allow httpd access as logs point out is the problem?
BTW, giving write access to others, ie.,
-rwxrwxrwx. 1 apache apache 4 Apr 26 20:35 openme
is bad security practice.
It actually looks like you did 'chmod -r 0777 .' You should never blindly give rwx permissions recursively to directories as it changes permissions on files to stuff they don't need.
What I suggest you do if you are just starting out is to not configure your system Apache at all. Instead use mod_wsgi-express and run it on a non privileged port out of your own home directory.
Worry about using system Apache much later when you actually have a need to permanently deploy it and must use system Apache.
Graham
--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/902c645a-05ca-4dc3-9f0c-51786ea3a668%40googlegroups.com.
Mike Archbold
Apr 27, 2020, 12:39:20 AM4/27/20
to modwsgi
Graham,
Thanks a lot for the prompt reply.
And did you do anything to configure SELinux to allow httpd access as logs point out is the problem?
I found this --> https://serverfault.com/questions/626610/selinux-preventing-apache-from-writing-to-a-file
I did not understand this facet at all, and it did work when I tried it out.
BTW, giving write access to others, ie.,-rwxrwxrwx. 1 apache apache 4 Apr 26 20:35 openmeis bad security practice.
Right -- I should have added that I was just proving that the security should have allowed it under just about any circumstances.
It actually looks like you did 'chmod -r 0777 .' You should never blindly give rwx permissions recursively to directories as it changes permissions on files to stuff they don't need.
What I suggest you do if you are just starting out is to not configure your system Apache at all. Instead use mod_wsgi-express and run it on a non privileged port out of your own home directory.Worry about using system Apache much later when you actually have a need to permanently deploy it and must use system Apache.
I took a look at this and like the idea. When I issued the command "mod_wsgi-express-3 start-server jsss.wsgi " it started right up surprisingly. Nice. I actually need a fullblown production system pretty soon and it is starting to look like I might get past the permission difficulty, so I think I will continue with the full blown server. My program above is just a little mock up -- I've got a big one staged to go. Mostly I have been a mainframe developer so I am just learning finally a lot of the server stuff.
Mike Archbold
Graham
To unsubscribe from this group and stop receiving emails from it, send an email to mod...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages