I have a perl script:
#!/usr/bin/perl -w
use DateTime;
use Expect;
use IO::Pty;
use CGI::Fast;
while($q = new CGI::Fast){
my $ip = $q->param('ip');
my $folder = $q->param('folder');
my $username = $q->param('username');
my $password = $q->param('password');
print "Content-type: text/html\r\n\r\n";
print "<head>\n<title>FastCGI</title>\n\</head>";
print "<h3> $ip - $folder - $username - $password </h3>";
my $ssh = new Expect;
if($ssh->spawn("ssh -q -l $username $ip")){
print "<h4>Connexion OK</h4>";
} else {
print "Error\n";
die "Connexion failed, $!";
}
}
The execution of this script create some errors in my Apache'Error-log:
[error] [client x.x.x.x] pty_allocate(nonfatal): posix_openpt(): Permission denied at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] pty_allocate(nonfatal): getpt(): No such file or directory at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] pty_allocate(nonfatal): openpty(): No such file or directory at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] pty_allocate(nonfatal): open(/dev/ptmx): Permission denied at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] Cannot open a pty at /var/www/cgi-bin/cgi2.pl line 18, referer: http://y.y.y.y/login
I understand the error as it says it can't open a PTY (with the new Expect command).
Is it really a problem of permission (and how to fix that) or is it impossible to use the Expect command in a cgi file?
Thank for your advices....
This is because httpd_sys_script_t doesn't have selinux permissions to read/write a pty, but the following selinux policy will allow it:
policy_module(httpd_pty,1.0)
require {
type httpd_sys_cript_t;
type ptmx_t;
class chr_file { read write };
}
allow httpd_sys_script_t ptmx_t:chr_file { read write };
You might be able to change to class chr_file rw_chr_file_perms;, and allow httpd_sys_script_t ptmx_t:chr_file rw_chr_file_perms;, depending on how recent your selinux policy is. The above will work with rhel5, the macro in this line will work with rhel6.
Or, from advice from #selinux on freenode:
mkdir ~/myhttpd
cd ~/myhttpd
echo "policy_module(myhttpd,1.0.0) optional_policy(\` apache_content_template(myscript)')" > myhttpd.te
echo "/home/httpd/foo/cgi-bin/test.pl -- gen_context(system_u:object_r:httpd_myscript_script_exec_t,s0)" > myhttpd.fc
make -f /usr/share/selinux/devel/Makefile myhttpd.pp
sudo semodule -i myhttpd.pp
Basically, the apache policy has a way to create your own content type. Create the content type for your script in the above code fragment. Then use your new avc denials and add to the policy file myhttpd.te above. This will keep you from allowing all httpd processes from accessing pty's, just the one you specify. You would probably do the following afterwards:
allow httpd_myscript_script_t ptmx_t:chr_file rw_chr_file_perms;
added onto the end of myhttpd.te (or whatever you want to call the module), and recompile and load (make and semodule above).
I believe this is SELinux problem, check your log for selinux error and adjust your policy accordingly.
This will solve your problem:
cat > mypol.te<<EOF
module mypol 1.0;
require {
type httpd_sys_script_t;
type ptmx_t;
type httpd_t;
class chr_file { read write ioctl open };
}
#============= httpd_t ==============
allow httpd_t ptmx_t:chr_file open;
allow httpd_sys_script_t ptmx_t:chr_file { read write };
#!!!! This avc is allowed in the current policy
allow httpd_t ptmx_t:chr_file { read write ioctl };
EOF
checkmodule -M -m -o mypol.mod mypol.te
semodule_package -o mypol.pp -m mypol.mod
semodule -i mypol.pp
setsebool -P daemons_use_tty 1
grep httpd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
来源:https://stackoverflow.com/questions/6954285/apache-pty-errors-in-cgi-perl-file-while-creating-a-new-expect-object