I installed a new CentOS 7 x86_64 LAMP server today.
I compiled a simple CGI script in c and i called it test.cgi, and I enabled the AddHandler for .cgi scripts. However everytime i try to load the /test.cgi page from my /var/www/html directory any simple .cgi script will throw me a 500 internal server error page.
I tested that the script is working fine from the /var/www/cgi-bin directory. My server is running selinux and apache/httpd is using suEXEC.
EDIT: also I didn't create any extra users after the lamp installation so here I'm using root to do everything for now. However I tried to fix giving the /var/www/html directory ownership to the apache user, that didn't fix sadly.
Here's the error log, as you can see it gives me a 'Permission Denied' error:
[Mon Jul 21 15:28:14.336626 2014] [core:notice] [pid 22704] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Jul 21 15:28:14.339766 2014] [suexec:notice] [pid 22704] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Jul 21 15:28:14.495631 2014] [auth_digest:notice] [pid 22704] AH01757: generating secret for digest authentication ...
[Mon Jul 21 15:28:14.498690 2014] [lbmethod_heartbeat:notice] [pid 22704] AH02282: No slotmem from mod_heartmonitor
[Mon Jul 21 15:28:14.765072 2014] [mpm_prefork:notice] [pid 22704] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 configured -- resuming normal operations
[Mon Jul 21 15:28:14.765186 2014] [core:notice] [pid 22704] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Jul 21 15:28:16.027553 2014] [cgi:error] [pid 22706] [client 192.168.0.68:52930] AH01215: (13)Permission denied: exec of '/var/www/html/index.cgi' failed
[Mon Jul 21 15:28:16.030595 2014] [cgi:error] [pid 22706] [client 192.168.0.68:52930] End of script output before headers: index.cgi
[Mon Jul 21 15:45:01.586229 2014] [mpm_prefork:notice] [pid 22704] AH00170: caught SIGWINCH, shutting down gracefully
This is my /var/www/html apache config:
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options ExecCGI FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
And of course I activated CGI using: AddHandler cgi-script .cgi .pl
This is my simple test.c file:
#include <stdio.h>
int main(void) {
puts("Content-Type: text/html; charset=ISO-8859-1\n");
fputs("Hello, World!", stdout);
return 0;
}
The output is correctly: Content-Type: text/html; charset=ISO-8859-1\n\nHello, World!
Also i compiled it with gcc and then gave it permissions 777 to test.cgi Do you know what I need to do to fix this?
Thanks in advance, Zorgatone
I'm not sure if this is a viable solution for you, but I got it working by changing SELinux to permissive. Here are the steps in case you're interested.
vi /etc/selinux/config
Change the following line:
SELINUX=enforcing
to:
SELINUX=permissive
I just solved reinstalling the server and doing all over again, disabled selinux and iptables, because I have already an external firewall.
Thanks to anyone who helped me out ;)
This is most likely an SELinux issue (which Tom Sweeney answer provides a solution to use a permissive SELinux and your own accepted answer which you indicated to disable SELinux entirely). An alternative approach is to configure appropriate SELinux types for your CGI files (and possibly other policy changes).
To start off, install the SELinux Policy Management tool (if not already done):
sudo yum install policycoreutils-python
Assuming you want to permit all CGI-based files in your /var/www/html directory, you can use the following command to apply the httpd_sys_script_exec_t context to your current and future CGI files:
sudo semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/html(/.*)?/.*\.cgi'
Next, restore the content for any existing CGI files:
sudo restorecon -Rv /var/www/html/
You will also need to permit Apache to allow CGI scripts to be executed using the following:
sudo setsebool -P httpd_enable_cgi 1
You should be done. Note that if your CGI scripts need to read/write content from other files in your system, you'll have to also apply the httpd_sys_rw_content_t context to those files as well (see below for an example).
Just experienced this issue attempting to install Bugzilla (which uses CGI) on a CentOS 7 (x86_64) system. The following error was observed when monitoring my httpd error log (sudo tail -f /var/log/httpd/error_log):
[cgi:error] [pid 1825] [client ...:56481] AH01215: (13)Permission denied: exec of '/var/www/html/bugzilla/index.cgi' failed
[cgi:error] [pid 1825] [client ...:56481] End of script output before headers: index.cgi
Examining the context's applied to my Bugzilla installation, I see the following:
$ ls -Z /var/www/html/bugzilla/
...
-rwxr-x---. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 index.cgi
...
I then use the following commands to permit execution for Bugzilla's CGI scripts as well as access for said CGI scripts to read content inside the ./data directory:
sudo yum install policycoreutils-python
sudo semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/html/bugzilla(/.*)?/.*\.cgi'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/bugzilla/data(/.*)?'
sudo restorecon -Rv /var/www/html/bugzilla/
sudo setsebool -P httpd_enable_cgi 1
Examining the applied context's show the desired results:
$ ls -Z /var/www/html/bugzilla/
...
-rwxr-x---. apache apache unconfined_u:object_r:httpd_sys_script_exec_t:s0 index.cgi
...
Bugzilla should be usable now. There may be additional policies to apply for all capabilities provided by Bugzilla; however, I'm unknown if any additional policies are required.
来源:https://stackoverflow.com/questions/24867286/apache-httpd-var-www-html-cgi-scripts-throw-500-internal-server-error