I m working on a python version cgi script which needs to create img files (which will be shown on the web page) in cgi-bin folder.
But it fails with:
[Wed Oct 28 16:13:51 2009] [error] [client ::1] OSError: [Errno 13] Permission denied: 'average/'
[Note] 'average/' is the folder that the cgi script is going to create first for saving those img files.
I tried giving a+x permission to the cgi script, but it failed still. This happens on both Win and Mac.
Btw, I m working with the default Apache configurations. I didn't change anything after the installation of Apache.
You would have to give the web server user write permission to the cgi-bin folder. Usually the web server user is something like nobody and not in the same group as the owner of the folder, so that means making cgi-bin world-writable: Note: This is a really bad idea.
chmod a+rwx cgi-bin
(or, on Windows setting permissions on cgi-bin to give Everyone ‘Full Control’.)
Now any user on your server, or any script that doesn't check its filenames properly, might create a file in the cgi-bin, where it will be interpreted by Apache as a CGI script and executed. This is a good way to get your server owned.
Run-time-written files should go in a separate ‘data’ folder, outside the cgi-bin (and preferably outside the web root, bound with an Alias), with Apache set to disallow any kind of script or htaccess from that folder. You can then set ‘data’ 777, or, possibly better, have it owned by the web server user instead.
The error message is complaining about permissions for the folder average/ not the cgi file.
EDIT: So your python script (which runs on both Win and Mac) is responsible for creating the folder and the img files?
You definitely should check your script and the permissions on the parent folder in which average/ is to be created.
If it's not just a permissions problem, as the error message suggests, you'll need a Python expert.
Related
I'm having a bit of an issue with setting up an Apache installation for a project I inherited. The original installation the project uses is Apache 2.2, but I'm currently using 2.4, and since the folder/filename and config options have changed a bit, I'm not sure what's causing my scripts to behave this way.
I have a script that's setup to execute from my cgi-bin directory which, among other things, generates an HTML file and after everything is complete, it uses "Location:whoami.html" to navigate to this page. The page is located within cgi-bin when it is created. However, instead of this page being served client-side, it creates an Internal Server Error message, and the log suggests that the page was interpreted as a script because it says:
(13)Permission denied: AH01241: exec of '/var/www/cgi-bin/whoami.html' failed
[client xxx.xx.xx.xx:xxxxx] End of script output before headers: whoami.html, referrer: http://xxx.xx.xx.xx
So why is it interpreting this page as a script, if in fact, that is what it's doing? The old server has the same directory configurations for the cgi-bin directory, but it serves the page as it's supposed to without error.
The issue was that the script that creates the file wasn't running because I forgot to add the www-data user to the /etc/sudoers file... easy fix that I really should have thought of before.
I'm using Ubuntu 14 server from DO, with LAMP stack installed, i followed the instruction here to install flask on ubuntu because my main purpose was to use Flask on my website.
https://www.digitalocean.com/community/tutorials/how-to-deploy-a-flask-application-on-an-ubuntu-vps
During the test, when user connects to "http:/myvpsip/createfile/" which creates a new file on the current folder /var/www/, I got error from Apache saying that the file cannot be created, "permission denied".
I tried again using PHP script that create a new file on the same directory /var/www/ but got the same problem. Both of the trials were done using root account. I tried to chmod the www folder to 755 or 777 and they are not working.
My question is, how do I set permission for apache2 that when users browse the website they will be able to create/edit file on the current directory?
Thank you
This is because when you installed your application, you did so as the root user. All your application files and directories are owned by root.
If you ls -l on /var/www and look inside the FlaskApp folder structure, you will likely see permissions set like this:
-rw-r--r-- 1 root root
When Apache runs, it runs on behalf of a main process owned by the user root and several child processes owned by the user www-data. So essentially, Apache is running as if logged in as user www-data.
When your application needs to do a file or folder operation (its running on behalf of Apache www-data user), the public/world permission bits are used since Apache child processes are not running as root user and not as root group.
Looking above, we see that only the read bit is set for the public/world permissions - no write. And that is where the problem lies.
One way to solve this is to make everything under /var/www/mywebsite owned by the user root and the group www-data. This sets things up so that only the root user can have full permissions and www-data (everyone else) can only read and execute (no write).
When you setup your website, you should set it up to be under its own separate folder. This way you can have multiple virtual domains (i.e. more websites) added later on. Assuming 'mywebsite' is where your domain is and you have already installed your application software (Flask) within it:
cd /var/www/mywebsite
chown -R root:www-data /var/www
You then as the system administrator, need to understand the application and go through the folders and files setting permissions. Apply permissions generally, then on a case by case basis.
For most directories (750)
- Only root can rwx directory
- www-data can only read and execute directory
- no public/world bits set as it makes no sense (*)
For directories that can be changed by web application (770)
- Root can rwx directory
- www-data can rwx directory
- no public/world bits set as it makes no sense (*)
- for uploading files, creating images, documents, etc by the users of the site
For most files (640)
- Never set the execute bit to avoid execution of misplaced shell or executable files
- PHP, Perl, etc. are just text files. They have nothing to do with exec permission
- No group write bit set
- Read must be set for owner and group else they cant see the web document
For special case where files need to be changed (660)
- Set group write bit if you want www-data users to create things
(*) Because all users who visit Apache are running on behalf of www-data
I have clean CentOS 6. I just install via yum install httpd mysql-server, python, mysql-python.
First Step
$ trac-admin /home/tracprojects/main2 initenv
Project name: Main
SQL Connect string: mysql://trac#localhost:3306/trac (base exists, utf8, innoDB)
OK.
$ trac-admin /home/tracprojects/main2 deploy /var/www/html/
OK.
Second Step
Then I move cgi-bin/trac.wsgi to my /cgi-bin/ server's alias folder. (mod_wsgi working well. NOT as a daemon. tested on wsgi scripts).
Then I've grant permissions to Apache user for whole directories I've create earlier. And add access from apache config. (order-allow-deny).
But when I open my browser and go to url, I've got this error message:
Internal Server Error
TracError: IOError: [Errno 13] Permission denied: '/home/tracprojects/main2/VERSION'
What I do wrong?
Do you use SElinux (enabled by default)? With default SElinux I believe Apache can not access /home. You can check this by disabling SElinux temporarily ("setenforce 0" as root) and maybe restarting Apache. Also check /var/log/audit.log.
Check permissions of '/home/tracprojects' etc. Apache runs as special user and simply may not be able to read into directories, read files, or even write files.
You may be better off using mod_wsgi daemon mode and telling mod_wsgi to run the process as a different user who can access that location. Even if do this, the WSGI script file directory still at least needs to be readable to Apache user.
I have an apache webserver running on centos environment. There is a folder and in that there is a file which has an extension .exe lets name the file x.exe
when I try download this file using http://mysite.com/folder/x.exe I get a 403 error.
but if I add a gif to that folder it works http://mysite.com/folder/pic.gif
I dont have SSH access to this server but need to know some clue for why this is happenning, the file permissions are correct too.
any help is appreciated
Within Apache's httpd.conf, it is possible to specify default handling actions for certain file types or paths. It may be that your server is configured to block executable files all together. Similar blocking can also occur in an .htaccess file. There are a few ways to do it... here's one:
<Files ~ "\.exe$">
Order allow,deny
Deny from all
</Files>
That little snippet could be in the main .conf file, and included .conf file, OR an .htaccess file (or all three!), and again, that is just one possibility. Your best bet is to check out the server logs. They will indicate why a given request was denied in a form similar to this:
[Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by
server configuration: /www/root
Take a look at this document for information about server logs (including default paths to the logs themselves).
As I mentioned, there are a few other ways to block access to certain file types, certain files, certain folders, etc. Without looking at the error logs, it is very difficult to determine the cause. Further, without full access to the server, it may not be possible to alter this behavior. This blockage could be in place as a matter of policy for your web host.
I'd like to add I spent like 2 hours trying this crap over and over again only to discover that selinux was denying specific file types for httpd.
try:
setenforce Permissive
and see if that corrects the error
tag
Fedora 16
well the answer was I had this in a folder where it forbids the exe
Deny from all
<FilesMatch "\.(html|HTML|htm|HTM|xhtml|XHTML|js|JS|css|CSS|bmp|BMP|png|PNG|gif|GIF|jpg|JPG|jpeg|JPEG|ico|ICO|pcx|PCX|tif|TIF|tiff|TIFF|au|AU|mid|MID|midi|MIDI|mpa|MPA|mp3|MP3|ogg|OGG|m4a|M4A|ra|RA|wma|WMA|wav|WAV|cda|CDA|avi|AVI|mpg|MPG|mpeg|MPEG|asf|ASF|wmv|WMV|m4v|M4V|mov|MOV|mkv|MKV|mp4|MP4|swf|SWF|flv|FLV|ram|RAM|rm|RM|doc|DOC|docx|DOCX|txt|TXT|rtf|RTF|xls|XLS|xlsx|XLSX|pages|PAGES|ppt|PPT|pptx|PPTX|pps|PPS|csv|CSV|cab|CAB|arj|ARJ|tar|TAR|zip|ZIP|zipx|ZIPX|sit|SIT|sitx|SITX|gz|GZ|tgz|TGZ|bz2|BZ2|ace|ACE|arc|ARC|pkg|PKG|dmg|DMG|hqx|HQX|jar|JAR|xml|XML|pdf|PDF)$">
Allow from all
</FilesMatch>
added exe there and worked fine,
also a note, this was in a SilverStripe CMS powered site, and in the assets folder of SilverStripe
i am having problems with setting up a virtual host (Aptana Project directory) on a LAMP installation on Ubuntu 11 (via tasksel).
i can access
/var/www via ht*p://localhost, but accessing /home/tg/Aptana... via ht*p://ea-dev returns an
"You don't have permission to access / on this server."
this is my apache2.conf: http://pastebin.com/Yja02tnE
this is my ea-dev located in /etc/apache2/sites-available/: http://pastebin.com/U1Vu2jxD
thats what i get in the error.log:
[crit] [client 127.0.0.1]
(13)Permission denied: /home/tg/.htaccess pcfg_openfile: unable to
check htaccess file, ensure it is readable
I really don't understand why its written /home/tg and not /home/tg/Aptana... but maybe its just an abbreviation.
Have you checked to make sure the user running the apache daemon can read the files in the directories in question? I'd start with the .htaccess file. That is almost always the cause of the permission denied error. You may also need to add the tg user to the www-data group.
However, the other thing that stands out is the use of spaces in your path for DocumentRoot... I haven't actually ever done that, so I would also try normalizing your directory path, removing spaces and capital letters. That could explain why the path in the error log does not match the path you expected to see - apache does not normally abbreviate such things.
Good luck and let us know if you make any progress or have additional questions/info.