[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-users
Subject: Re: [users@httpd] ExecCGI ignored within nfs share
From: "Michele Mase'" <michele.mase () gmail ! com>
Date: 2020-02-04 11:26:50
Message-ID: CAC=HuntLPu__5yN-YaTRBM517rGMF8ZUURe9voAvP_QGGcnOog () mail ! gmail ! com
[Download RAW message or body]
The directory perms are ok (directory 0755, files 0705); you can see the
content of the script but not execute it.
On Tue, Feb 4, 2020 at 2:12 AM Igor Cicimov <icicimov@gmail.com> wrote:
> Should have said "exported" with noexec instead of mounted to make it more
> clear. Then it doesn't matter what you do on the client side you will still
> not be able to run exe files.
>
> Since this is not the case maybe the perms of the directories on that path
> have no exe permissions them self?
>
> IC
>
> On Fri, Jan 31, 2020, 10:46 PM Michele Mase' <michele.mase@gmail.com>
> wrote:
>
> > From fstab:
> > 10.10.10.10:/vol/shared /shared nfs
> > defaults,exec,tcp,vers=3,intr,_netdev 0 0
> > From /proc/mounts
> > 10.10.10.10:/vol/shared /shared nfs
> > rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,ret \
> > rans=2,sec=sys,mountaddr=10.10.10.10,mountvers=3,mountport=635,mountproto=tcp,local_lock=none,addr=10.10.10.10
> > 0 0
> > The apache process user can execute scripts under nfs share:
> > su - www-data -s /bin/bash -c "/shared/www_root/cgi2/test.sh" #working
> >
> >
> > On Thu, Jan 30, 2020 at 8:57 PM Igor Cicimov <icicimov@gmail.com> wrote:
> >
> > > On Wed, Jan 29, 2020, 11:35 PM Michele Mase' <michele.mase@gmail.com>
> > > wrote:
> > >
> > > > I'm trying to execute some gci scripts under a certain directory stored
> > > > under an nfs share without any success; the same configuration is working
> > > > outside nfs share (i.e. under local filesystem).
> > > > What am I missing?
> > > > Regards
> > > > Michele Masè
> > > >
> > > > Local Working: curl https://www.example.com/cgi2/
> > > >
> > > > Alias /cgi2/ /var/www/html.default/cgi2/
> > > > <Directory "/var/www/html.default/cgi2">
> > > > AddHandler cgi-script .cgi .pl .sh
> > > > DirectoryIndex index.cgi index.html
> > > > Options +ExecCGI
> > > > </Directory>
> > > >
> > > >
> > > > NFS Not Working:
> > > > Alias /cgi2/ /shared/www_root/cgi2/
> > > > <Directory "/shared/www_root/cgi2/">
> > > > AddHandler cgi-script .cgi .pl .sh
> > > > DirectoryIndex index.cgi index.html
> > > > Options +ExecCGI
> > > > </Directory>
> > > >
> > > > Error_Log:
> > > > AH01262: Options ExecCGI is off in this directory:
> > > > /shared/www_root/cgi2/index.cgi
> > > >
> > > > index.cgi script
> > > >
> > > > #!/usr/bin/perl
> > > >
> > > > print "Content-type: text/html\n\n";
> > > > print "<html>\n<body>\n";
> > > > print "<div style=\"width: 100%; font-size: 40px; font-weight: bold;
> > > > text-align: center;\">\n";
> > > > print "CGI Test Page";
> > > > print "\n</div>\n";
> > > > print "</body>\n</html>\n";
> > > >
> > > > apache2.4.x ubuntu18.04 libapache2-mod-apparmor not installed
> > > >
> > > > aa-status --verbose
> > > > apparmor module is loaded.
> > > > 8 profiles are loaded.
> > > > 8 profiles are in enforce mode.
> > > > /sbin/dhclient
> > > > /usr/bin/man
> > > > /usr/lib/NetworkManager/nm-dhcp-client.action
> > > > /usr/lib/NetworkManager/nm-dhcp-helper
> > > > /usr/lib/connman/scripts/dhclient-script
> > > > /usr/sbin/tcpdump
> > > > man_filter
> > > > man_groff
> > > > 0 profiles are in complain mode.
> > > > 0 processes have profiles defined.
> > > > 0 processes are in enforce mode.
> > > > 0 processes are in complain mode.
> > > > 0 processes are unconfined but have a profile defined.
> > > >
> > > > /proc/mounts
> > > > 10.10.10.10:/vol/shared /shared nfs
> > > > rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600 \
> > > > ,retrans=2,sec=sys,mountaddr=10.10.10.10,mountvers=3,mountport=635,mountproto=tcp,local_lock=none,addr=10.10.10.10
> > > > 0 0
> > > >
> > > > su - www-data -s /bin/bash -c "/bin/cat
> > > > /shared/www_root/cgi2/index.cgi" #working
> > > > --
> > > > Michele Masè
> > > >
> > >
> > > Usually NFS shares are being mounted without exec permissions for
> > > security, you need to make sure that is not the case.
> > >
> > > >
> >
> > --
> > Michele Masè
> >
>
--
Michele Masè
[Attachment #3 (text/html)]
<div dir="ltr">The directory perms are ok (directory 0755, files 0705); you can see \
the content of the script but not execute it.<br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 4, 2020 at 2:12 AM \
Igor Cicimov <<a href="mailto:icicimov@gmail.com">icicimov@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="auto"><div>Should have said "exported" with noexec instead of mounted \
to make it more clear. Then it doesn't matter what you do on the client side you \
will still not be able to run exe files.</div><div dir="auto"><br></div><div \
dir="auto">Since this is not the case maybe the perms of the directories on that path \
have no exe permissions them self?<br><br><div dir="auto">IC</div><br><div \
class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Fri, Jan 31, \
2020, 10:46 PM Michele Mase' <<a href="mailto:michele.mase@gmail.com" \
target="_blank">michele.mase@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">From \
fstab:<br>10.10.10.10:/vol/shared /shared nfs defaults,exec,tcp,vers=3,intr,_netdev 0 \
0<br>From /proc/mounts<br>10.10.10.10:/vol/shared /shared nfs \
rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans \
=2,sec=sys,mountaddr=10.10.10.10,mountvers=3,mountport=635,mountproto=tcp,local_lock=none,addr=10.10.10.10 \
0 0<br>The apache process user can execute scripts under nfs share:<br>su - www-data \
-s /bin/bash -c "/shared/www_root/cgi2/test.sh" \
#working<br><br></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Thu, Jan 30, 2020 at 8:57 PM Igor Cicimov <<a \
href="mailto:icicimov@gmail.com" rel="noreferrer" \
target="_blank">icicimov@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="auto">On Wed, Jan 29, \
2020, 11:35 PM Michele Mase' <<a href="mailto:michele.mase@gmail.com" \
rel="noreferrer" target="_blank">michele.mase@gmail.com</a>> wrote:<br></div><div \
class="gmail_quote" dir="auto"><blockquote class="gmail_quote" style="margin:0px 0px \
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr">I'm trying to execute some gci scripts under a certain directory stored \
under an nfs share without any success; the same configuration is working outside nfs \
share (i.e. under local filesystem).<br>What am I missing?<br>Regards<br>Michele \
Masè<br><br>Local Working: curl <a href="https://www.example.com/cgi2/" \
rel="noreferrer noreferrer" \
target="_blank">https://www.example.com/cgi2/</a><br><br>Alias /cgi2/ \
/var/www/html.default/cgi2/<br><Directory \
"/var/www/html.default/cgi2"><br>AddHandler cgi-script .cgi .pl \
.sh<br>DirectoryIndex index.cgi index.html<br>Options \
+ExecCGI<br></Directory><br><br><br>NFS Not Working:<br>Alias /cgi2/ \
/shared/www_root/cgi2/<br><Directory \
"/shared/www_root/cgi2/"><br>AddHandler cgi-script .cgi .pl \
.sh<br>DirectoryIndex index.cgi index.html<br>Options \
+ExecCGI<br></Directory><br><br>Error_Log:<br>AH01262: Options ExecCGI is off \
in this directory: /shared/www_root/cgi2/index.cgi<br><br>index.cgi \
script<br><br>#!/usr/bin/perl<br><br>print "Content-type: \
text/html\n\n";<br>print "<html>\n<body>\n";<br>print \
"<div style=\"width: 100%; font-size: 40px; font-weight: bold; \
text-align: center;\">\n";<br>print "CGI Test Page";<br>print \
"\n</div>\n";<br>print "</body>\n</html>\n";<br \
clear="all"><div><br></div><div>apache2.4.x ubuntu18.04 libapache2-mod-apparmor not \
installed</div><div><br></div><div>aa-status --verbose<br>apparmor module is \
loaded.<br>8 profiles are loaded.<br>8 profiles are in enforce mode.<br> \
/sbin/dhclient<br> /usr/bin/man<br> \
/usr/lib/NetworkManager/nm-dhcp-client.action<br> \
/usr/lib/NetworkManager/nm-dhcp-helper<br> \
/usr/lib/connman/scripts/dhclient-script<br> /usr/sbin/tcpdump<br> \
man_filter<br> man_groff<br>0 profiles are in complain mode.<br>0 processes have \
profiles defined.<br>0 processes are in enforce mode.<br>0 processes are in complain \
mode.<br>0 processes are unconfined but have a profile \
defined.</div><div><br></div><div>/proc/mounts</div><div>10.10.10.10:/vol/shared \
/shared nfs rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo \
=600,retrans=2,sec=sys,mountaddr=10.10.10.10,mountvers=3,mountport=635,mountproto=tcp,local_lock=none,addr=10.10.10.10 \
0 0</div><div><br></div><div>su - www-data -s /bin/bash -c "/bin/cat \
/shared/www_root/cgi2/index.cgi" #working<br></div>-- <br><div dir="ltr"><div \
dir="ltr"><div><div dir="ltr">Michele \
Masè<br></div></div></div></div></div></blockquote></div><div \
dir="auto"><br></div><div dir="auto">Usually NFS shares are being mounted without \
exec permissions for security, you need to make sure that is not the case.</div><div \
class="gmail_quote" dir="auto"><blockquote class="gmail_quote" style="margin:0px 0px \
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div><div \
dir="ltr"></div></div></div></div></div> </blockquote></div></div>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr"><div dir="ltr"><div><div \
dir="ltr">Michele Masè<br></div></div></div></div> </blockquote></div></div></div>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" \
class="gmail_signature"><div dir="ltr"><div><div dir="ltr">Michele \
Masè<br></div></div></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic