The following is the content of my test.cgi.
Permission is 777,



after run this scripte, the result is : fail open /home !

It works if I change the value of $ss from /home to /tmp.

Why does it not work when the value of $ss is /home??
How can I make it work for /home directory??

Please help. Thank you.

maybe your home directory permissions are not readable or the dir belongs to root or something ? try to connect to ftp thru php and open the dir, more about it here:

ftp connect

oh darn only now i remember that your script is an cgi/perl script, anyway if you include a php file thru cgi the server will stil parse it.



anyway, i don't know much of this language, maybe you have something native

I did a test on RHEL, but fail.
It is the same problem. /home directory cannot be accessed.
But why???

Even the permission is set to 777. It just does not work.
is it anything to do with the setting of apache???
I did not change any setting of my apache server.
Default setting is used.

I assume you are using the perl script through a web server, possably apache ???

for securety, apache runs as user "nobody" for securety reasons.
nobody doesnt have a /home and so does not have access.

this prevents a compromised web server getting access to usernames (stored in /home)

nobody DOES have access to /tmp however.

you chould change the access rightas to /home, but i would not recomend this.

just re-think whatever you are trying to accumplish, and re-design it to work more securely.

After a few day, the problem was fixed finally.

My friend just tell me to disable ＳＥＬＩＮＵＸ.
After ＳＥＬＩＮＵＸ is disable, the test script runs well.

to qwijibow: you are quite right. I should design my script to work more securely.
However, I just started to learn perl about two weeks ago.
I will spend more time on it.

Thanks for your help.

I've written a guide on making SELinux co-operate with Apache, it's not really a good idea to disable SELinux so I looked for a method to work with this.

You'll want to look up the "chcon" command (change security context) and you may want to use "ls -Z" to display what you need altered or to show you if it's correct.

chcon -t httpd_sys_content_t -R $HOME/public_html

Say in your /home/UserName/ directory you have a directory called public_html, this command issued above, will make all directories, sub-directories and files all allow access for httpd (apache) to be able use public_html as we specifically made it contain system content that apache is allowed to view.

httpd_sys_exec_script_t should be set on all cgi/perl scripts as well as the cgi-bin directory.

Have a look at This Post for more information and better ways of setting permissions on your directories.

There could be more of these httpd_sys_ prefixed contexts, but the top two are the most common and most likely ones you'll ever need, I've not used any other context than these two on my own personal servers.

This should hopefully get you comfortable with SELinux.


Cheers,


MC