httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] ExecCGI ignored within nfs share
Date Tue, 04 Feb 2020 02:11:38 GMT
Should have said "exported" with noexec instead of mounted to make it more
clear. Then it doesn't matter what you do on the client side you will still
not be able to run exe files.

Since this is not the case maybe the perms of the directories on that path
have no exe permissions them self?

IC

On Fri, Jan 31, 2020, 10:46 PM Michele Mase' <michele.mase@gmail.com> wrote:

> From fstab:
> 10.10.10.10:/vol/shared /shared nfs defaults,exec,tcp,vers=3,intr,_netdev
> 0 0
> From /proc/mounts
> 10.10.10.10:/vol/shared /shared nfs
> rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.10.10.10,mountvers=3,mountport=635,mountproto=tcp,local_lock=none,addr=10.10.10.10
> 0 0
> The apache process user can execute scripts under nfs share:
> su - www-data -s /bin/bash -c "/shared/www_root/cgi2/test.sh" #working
>
>
> On Thu, Jan 30, 2020 at 8:57 PM Igor Cicimov <icicimov@gmail.com> wrote:
>
>> On Wed, Jan 29, 2020, 11:35 PM Michele Mase' <michele.mase@gmail.com>
>> wrote:
>>
>>> I'm trying to execute some gci scripts under a certain directory stored
>>> under an nfs share without any success; the same configuration is working
>>> outside nfs share (i.e. under local filesystem).
>>> What am I missing?
>>> Regards
>>> Michele Masè
>>>
>>> Local Working: curl https://www.example.com/cgi2/
>>>
>>> Alias /cgi2/ /var/www/html.default/cgi2/
>>> <Directory "/var/www/html.default/cgi2">
>>> AddHandler cgi-script .cgi .pl .sh
>>> DirectoryIndex index.cgi index.html
>>> Options +ExecCGI
>>> </Directory>
>>>
>>>
>>> NFS Not Working:
>>> Alias /cgi2/ /shared/www_root/cgi2/
>>> <Directory "/shared/www_root/cgi2/">
>>> AddHandler cgi-script .cgi .pl .sh
>>> DirectoryIndex index.cgi index.html
>>> Options +ExecCGI
>>> </Directory>
>>>
>>> Error_Log:
>>> AH01262: Options ExecCGI is off in this directory:
>>> /shared/www_root/cgi2/index.cgi
>>>
>>> index.cgi script
>>>
>>> #!/usr/bin/perl
>>>
>>> print "Content-type: text/html\n\n";
>>> print "<html>\n<body>\n";
>>> print "<div style=\"width: 100%; font-size: 40px; font-weight: bold;
>>> text-align: center;\">\n";
>>> print "CGI Test Page";
>>> print "\n</div>\n";
>>> print "</body>\n</html>\n";
>>>
>>> apache2.4.x ubuntu18.04 libapache2-mod-apparmor not installed
>>>
>>> aa-status --verbose
>>> apparmor module is loaded.
>>> 8 profiles are loaded.
>>> 8 profiles are in enforce mode.
>>>    /sbin/dhclient
>>>    /usr/bin/man
>>>    /usr/lib/NetworkManager/nm-dhcp-client.action
>>>    /usr/lib/NetworkManager/nm-dhcp-helper
>>>    /usr/lib/connman/scripts/dhclient-script
>>>    /usr/sbin/tcpdump
>>>    man_filter
>>>    man_groff
>>> 0 profiles are in complain mode.
>>> 0 processes have profiles defined.
>>> 0 processes are in enforce mode.
>>> 0 processes are in complain mode.
>>> 0 processes are unconfined but have a profile defined.
>>>
>>> /proc/mounts
>>> 10.10.10.10:/vol/shared /shared nfs
>>> rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.10.10.10,mountvers=3,mountport=635,mountproto=tcp,local_lock=none,addr=10.10.10.10
>>> 0 0
>>>
>>> su - www-data -s /bin/bash -c "/bin/cat /shared/www_root/cgi2/index.cgi"
>>> #working
>>> --
>>> Michele Masè
>>>
>>
>> Usually NFS shares are being mounted without exec permissions for
>> security, you need to make sure that is not the case.
>>
>>>
>
> --
> Michele Masè
>

Mime
View raw message