Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Opening Sockets in CGI scripts.

524 views
Skip to first unread message

pvra...@gmail.com

unread,
Apr 17, 2006, 3:34:35 PM4/17/06
to
Hi,
I have a CGI script written in C that tries to setup a connection
with another server to retrieve some data. When the CGI script runs,
it fails to open socket because of socket open permission issues. The
script runs fine when I run it from the shell. Is there any restriction
on opening sockets in a CGI application? I've also tried using message
queues and named pipes, all of them give permission errors while trying
to open pipe/message queues.

This is my setup:
Fedora 4 & Apache/2.0.54 web server.

Regards,

Raj.


--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content.

HOW TO POST to comp.infosystems.www.authoring.cgi:
http://www.thinkspot.net/ciwac/howtopost.html

Sherm Pendley

unread,
Apr 17, 2006, 4:30:11 PM4/17/06
to
pvra...@gmail.com writes:

> it fails to open socket because of socket open permission issues. The
> script runs fine when I run it from the shell. Is there any restriction
> on opening sockets in a CGI application?

Such a restriction is not part of the CGI spec, in either way. It's not
required, nor is it forbidden.

You'll need to ask your system admin what restrictions are in place for
your server.

sherm--

--
Cocoa programming in Perl: http://camelbones.sourceforge.net
Hire me! My resume: http://www.dot-app.org

Nick Kew

unread,
Apr 17, 2006, 3:05:10 PM4/17/06
to
pvra...@gmail.com wrote:
> Hi,
> I have a CGI script written in C that tries to setup a connection
> with another server to retrieve some data. When the CGI script runs,
> it fails to open socket because of socket open permission issues. The
> script runs fine when I run it from the shell. Is there any restriction
> on opening sockets in a CGI application? I've also tried using message
> queues and named pipes, all of them give permission errors while trying
> to open pipe/message queues.

That's probably the level of security set up by your server
administrator.

> This is my setup:
> Fedora 4 & Apache/2.0.54 web server.

... which might well involve SELinux.

--
Nick Kew

pvra...@gmail.com

unread,
Apr 17, 2006, 5:21:32 PM4/17/06
to
Thanks for your replies. We have full access to the system, so we can
change the server configuration any way we want. I really appreciate if
someone can provide some pointers on how to setup the security level
for enabling this.

Thanks,

Raj

Sherm Pendley

unread,
Apr 17, 2006, 5:45:07 PM4/17/06
to
pvra...@gmail.com writes:

> Thanks for your replies. We have full access to the system, so we can
> change the server configuration any way we want. I really appreciate if
> someone can provide some pointers on how to setup the security level
> for enabling this.

Some OSes can restrict network connections on a per-user basis. Web
servers typically run as "nobody" or "www". You need to:

1. Find out what user your web server is running as. You mentioned
using Apache, so have a look at httpd.conf.

2. Check your OS vendor's support pages, news group, etc. to see how,
in that OS, to allow network connections for a specific user.

sherm--

--
Cocoa programming in Perl: http://camelbones.sourceforge.net
Hire me! My resume: http://www.dot-app.org

--

pvra...@gmail.com

unread,
Apr 17, 2006, 6:57:43 PM4/17/06
to
Thanks guys for your support! It was the issue with SELinux, which was
protecting apache server, and CGI scripts executed from it. I disabled
the SE feature by running setenforce 0, and everything started working
fine!

Regards,

Raj

Nick Kew

unread,
Apr 17, 2006, 6:06:07 PM4/17/06
to
Sherm Pendley wrote:

> Some OSes can restrict network connections on a per-user basis. Web
> servers typically run as "nobody" or "www". You need to:
>
> 1. Find out what user your web server is running as. You mentioned
> using Apache, so have a look at httpd.conf.
>
> 2. Check your OS vendor's support pages, news group, etc. to see how,
> in that OS, to allow network connections for a specific user.
>

Since it's CGI, running it as a different user under suexec
might deal with that without giving more privileges to anything
that doesn't need them.

But that's a guess; I don't know how SELinux works.

--
Nick Kew

phil-new...@ipal.net

unread,
Apr 18, 2006, 3:11:31 AM4/18/06
to
On Mon, 17 Apr 2006 16:57:43 CST pvra...@gmail.com wrote:

| Thanks guys for your support! It was the issue with SELinux, which was
| protecting apache server, and CGI scripts executed from it. I disabled
| the SE feature by running setenforce 0, and everything started working
| fine!

Do you really need to run a paranoid version of Linux for a web server?
Obviously you aren't getting much out of it, what it was designed for,
if the features are off.

--
-----------------------------------------------------------------------------
| Phil Howard KA9WGN | http://linuxhomepage.com/ http://ham.org/ |
| (first name) at ipal.net | http://phil.ipal.org/ http://ka9wgn.ham.org/ |
-----------------------------------------------------------------------------

0 new messages