Perl CGI scripts unable to open TCP sockets -- permission denied
Jason
are trying to open a socket. They all run correctly from the prompt
and the scripts run until a socket is created, at which point I get a
"permission denied" error. This is particularly a problem with scripts
I am creating that use PostgreSQL; but I have confirmed that PostgreSQL
is not my problem.
I opened my machine to allow tcp finger requests and using the code
from chapter 10.3 of O'Rielly's CGI Programming (see:
http://www.thasource.net/books/oreilly/web-library/cgi/examples/examples/ch10/finger_orig.pl)
and from http://www.infocopter.com/perl /socket-server.htm I created a
program that returns the results of the finger command (see below).
>From the command prompt the perl script creates the socket and gets the
result. *As a cgi program it cannot create a socket*.
Thanks Jason
*I am currently running Fedora Core 3 with*
Apache 2.0.52-3.1
perl 5.8.5-14.FC3
*finger.cgi program:*
#!/usr/bin/perl -w
use strict;
use Socket;
use CGI::Pretty;
sub page {
my ($q, $title, $content) = @_;
print $q->header(), $q->start_html("$title");
print $q->h2("$title"), $q->p("$content"), $q->end_html();
exit;
}
my $q = new CGI::Pretty();
# initialize protocol, host and port
my $proto = getprotobyname('tcp');
my $host = 'localhost';
my $port = getservbyname('finger','tcp');
# get the host internet address and port address
my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($port, $iaddr);
# create the socket, connect to the port
socket(my $SOCKET, PF_INET, SOCK_STREAM, $proto) or &page($q , "Error",
"Socket: $!.\n");
connect($SOCKET, $paddr) or &page($q , "Error", "connect: $!");
#get reply from socket
my $result = "";
my $line;
while ($line = <$SOCKET>) {
$line = $q->escapeHTML($line);
$result .= $q->p($line);
}
close ($SOCKET);
#output reply from socket
&page($q, "No Errors!", $result);
--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content.
HOW TO POST to comp.infosystems.www.authoring.cgi:
http://www.thinkspot.net/ciwac/howtopost.html
Bill Segraves
news:1122920932.7...@z14g2000cwz.googlegroups.com...
> I am currently unable to get any of my perl CGI scripts to run if they
> are trying to open a socket. They all run correctly from the prompt
> and the scripts run until a socket is created, at which point I get a
> "permission denied" error.
Jason, you should clarify the above, re: conditions under which your scritp
run and do not run.
I think you're saying they run O.K. from the command prompt, but not as CGI
processes. If this is true, you should note that your Apache server does not
run as the same user that "you" are when you run a CGI script from the
command prompt. Your Apache server will be running under much more
restricted privileges, e.g., as user "nobody".
> This is particularly a problem with scripts
> I am creating that use PostgreSQL; but I have confirmed that PostgreSQL
> is not my problem.
Really? I had not noted that you've granted access to the Apache user, e.g.,
"nobody", in your PostgreSQL configuration, perhaps because you simply
didn't mention it in any of your earlier posts. If you haven't granted
access to the Apache user, that might cause problems with CGI access to
PostgreSQL.
BTW, what are the permissions you're using for your CGI scripts?
Cheers.
--
Bill Segraves
<snip>
Jason
All of my scripts run from the prompt (under any typical user account).
None of my scripts involving sockets run as cgi-scripts.
My cgi scripts are running as "apache".
The permissions are all 0755.
I cannot login as apache and therefore I cannot test the script from
the prompt as apache. When I do su - apache and enter the password I
get: This account is currently not available.
Any idea how I can run the script as apache and/or get a prompt as
apache?
My postgresql setup included adding root, apache and even nobody as
database users.
Can anyone run the above script as a cgi-script?
Cheers,
Jason
Simon Andrews
> I am currently unable to get any of my perl CGI scripts to run if they
> are trying to open a socket. They all run correctly from the prompt
> and the scripts run until a socket is created, at which point I get a
> "permission denied" error. This is particularly a problem with scripts
> I am creating that use PostgreSQL; but I have confirmed that PostgreSQL
> is not my problem.
Are there any more informative errors in the web server error logs? Are
you running selinux? If so are there any errors in /var/log/messages?
Have you tried putting selinux into permissive mode (using
system-config-securitylevel) and seeing if things start working?
Simon.
Jason
You are a genius! Being new to sysadmin I did not realized selinux
was enabled in enforcing mode. However a little research told me that
permissive mode was not necessary.
/usr/sbin/sestatus gave me:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 19
Policy from config file:targeted
Policy booleans:
...
httpd_can_network_connectinactive
...
Which is default!
told me to
/usr/sbin/setsebool -P httpd_can_network_connect 1
and then I restarted the httpd service and viola it works!!!
In fact this also solved my CGI PostgreSQL problems (because pgsql is
connecting through localhost tcp).
Thanks again to both Bill and Simon.
What a great way to start the week!
Jason