in reply to Re^2: cgi script write to crontab
in thread how to avoid web server from getting hacked

One possible reason is that one of the directories that the file is in doesn't allow the web server to access the file (for example if /home/jma is 750 the story ends here).

Another is Security-Enhanced Linux which assigns a "context" to each process, and Apache has the "www" context. It can't access files that don't have that context, and /home/ doesn't. Selinux is enabled by default on Red Hat distributions and those that are based on it (like CentOS).

Replies are listed 'Best First'.
Re^4: cgi script write to crontab
by Niner710 (Sexton) on May 14, 2008 at 00:55 UTC
    Ok, thanks moritz. I basically have a webpage that takes input from the user. I want to process the output of that html form and do a specific action with perl script. The perl script will take arguments from what the user specified in the html form and would run in cron. So this is what I would like to do. It seems from what you were saying earlier in the chatterbox that this is unsafe. I should not run the cgi script and output into a cron file. What would you recommend to be a safe way to do this? Database? Any suggestions greatly appreciated.
[reply]
      It seems when I disable SElinux then it works. I would rather not do this. Is there a workaround to this?
[reply]
Re^4: cgi script write to crontab
by Niner710 (Sexton) on May 14, 2008 at 15:58 UTC
    Moritz you were right on. After playing with SeLinux(and some hair pulling) I finally got it to work. Like what Moritz said it seems that Se Linux will only allow Apache to run on directories that have the httpd context. I could have either found a directory that had that context or change the context of another directory to enable me to write to a file in that directory. Here are the commands that I used to to get it to work..... 
    chcon -r httpd_sys_content_t/home/jma(changes my home directory to hav
+e httpd context so that I can have an apache process can run in this 
+directory)
chmod 775 /home/jma

    [download]
    Now, I will have to figure out if this is a safe way to do things...haha
[reply]
[d/l]

In Section Seekers of Perl Wisdom