Apache and suexec issue that wont let me run my python script

[Íéêüëáïò Êïýñáò]

Ôç Ôñßôç, 4 Éïõíßïõ 2013 2:42:52 ì.ì. UTC+3, ï ÷ñÞóôçò Carlos Nepomuceno Ýãñáøå:

Post your httpd.conf to pastebin and send us the link...

Here it is: http://pastebin.com/kMT2BZp1

 

[Carlos Nepomuceno]

Date: Tue, 4 Jun 2013 04:48:34 -0700
Subject: Re: Apache and suexec issue that wont let me run my python script
From: (e-mail address removed)
To: (e-mail address removed)

Ôç Ôñßôç, 4 Éïõíßïõ 2013 2:42:52 ì.ì. UTC+3, ï ÷ñÞóôçò Carlos Nepomuceno Ýãñáøå:


Here it is: http://pastebin.com/kMT2BZp1

Your httpd.conf is automatically generated by cPanel. Take a look:

# Defined in /var/cpanel/cpanel.config: apache_portListen 0.0.0.0:82User nobodyGroup nobodyExtendedStatus OnServerAdmin (e-mail address removed) nikos.superhost.grLogLevel warn

That means you have to change the settings on cPanel not directly editing httpd.conf. I don't use cPanel so I can't help you on that.

Good luck!

 

[Íéêüëáïò Êïýñáò]

Ôç Ôñßôç, 4 Éïõíßïõ 2013 3:11:18 ì.ì. UTC+3, ï ÷ñÞóôçò Carlos Nepomuceno Ýãñáøå:

Your httpd.conf is automatically generated by cPanel. Take a look:


# Defined in /var/cpanel/cpanel.config: apache_port
Listen 0.0.0.0:82
User nobody
Group nobody
ExtendedStatus On
ServerAdmin (e-mail address removed)
ServerName nikos.superhost.gr
LogLevel warn

That means you have to change the settings on cPanel not directly editinghttpd.conf. I don't use cPanel so I can't help you on that.

Good luck!

Since, i'm root i will open the file and alter the user nobody to root.
Can't i?

Also about the suexec.log since i made it 755 why still suexec complain that it cannot open it?

 

[Íéêüëáïò Êïýñáò]

root@nikos [~]# nano /usr/local/apache/conf/httpd.conf

and altering user nobody to user root.

root@nikos [~]# service httpd restart
[Tue Jun 04 15:56:42 2013] [warn] module rpaf_module is already loaded, skipping
Syntax error on line 175 of /usr/local/apache/conf/httpd.conf:
Error:\tApache has not been designed to serve pages while\n\trunning as root. There are known race conditions that\n\twill allow any local user to read any file on the system.\n\tIf you still desire to serve pages as root then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n\tand then rebuild the server.\n\tIt is strongly suggested that you instead modify the User\n\tdirective in your httpd.conf file to list a non-root\n\tuser.\n
root@nikos [~]#

What can i do?

 

[Chris Angelico]

root@nikos [~]# nano /usr/local/apache/conf/httpd.conf

and altering user nobody to user root.

root@nikos [~]# service httpd restart
[Tue Jun 04 15:56:42 2013] [warn] module rpaf_module is already loaded, skipping
Syntax error on line 175 of /usr/local/apache/conf/httpd.conf:
Error:\tApache has not been designed to serve pages while\n\trunning as root. There are known race conditions that\n\twill allow any local user to read any file on the system.\n\tIf you still desire to serve pages as root then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n\tand then rebuild the server.\n\tIt is strongly suggested that you instead modify the User\n\tdirective in your httpd.conf file to list a non-root\n\tuser.\n
root@nikos [~]#

What can i do?

Don't do that.

ChrisA

 

[Carlos Nepomuceno]

Date: Tue, 4 Jun 2013 05:57:54 -0700
Subject: Re: Apache and suexec issue that wont let me run my python script
From: (e-mail address removed)
To: (e-mail address removed)

root@nikos [~]# nano /usr/local/apache/conf/httpd.conf

and altering user nobody to user root.

root@nikos [~]# service httpd restart
[Tue Jun 04 15:56:42 2013] [warn] module rpaf_module is already loaded,skipping
Syntax error on line 175 of /usr/local/apache/conf/httpd.conf:
Error:\tApache has not been designed to serve pages while\n\trunning as root. There are known race conditions that\n\twill allow any local user to read any file on the system.\n\tIf you still desire to serve pages as root then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n\tand then rebuild the server.\n\tIt is strongly suggested that you instead modify the User\n\tdirective in your httpd.conf file to list a non-root\n\tuser.\n
root@nikos [~]#

What can i do?

You don't need to run httpd as root. In fact it's risky. You can use another user with less privileges to run it like nobody or something else you seefit.

I don't think the suggestion to rebuild the server is good, but I don't know how cPanel works so it's just a guess.

 

[Íéêüëáïò Êïýñáò]

Ôç Ôñßôç, 4 Éïõíßïõ 2013 4:10:58 ì.ì. UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

root@nikos [~]# nano /usr/local/apache/conf/httpd.conf
and altering user nobody to user root.
root@nikos [~]# service httpd restart

[Tue Jun 04 15:56:42 2013] [warn] module rpaf_module is already loaded,skipping

Syntax error on line 175 of /usr/local/apache/conf/httpd.conf:

Error:\tApache has not been designed to serve pages while\n\trunning asroot. There are known race conditions that\n\twill allow any local user to read any file on the system.\n\tIf you still desire to serve pages as root then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n\tand then rebuild the server.\n\tIt is strongly suggested that you instead modify the User\n\tdirective in your httpd.conf file to list a non-root\n\tuser.\n

Don't do that.

Well i can understand its dangerous but it doesnt also let me.
So that leaved me the tampering of the log files.

root@nikos [~]# chmod 755 /var/log/httpd/error_log
root@nikos [~]# chown nobody:nobody /var/log/httpd/error_log

root@nikos [~]# chmod 755 /usr/local/apache/logs/error_log
root@nikos [~]# chown nobody:nobody /usr/local/apache/logs/error_log

BUT just my luck.....

root@nikos [~]# [Tue Jun 04 16:16:21 2013] [error] [client 46.12.95.59] suexec failure: could not open log file
[Tue Jun 04 16:16:21 2013] [error] [client 46.12.95.59] fopen: Permission denied
[Tue Jun 04 16:16:21 2013] [error] [client 46.12.95.59] Premature end of script headers: koukos.py
[Tue Jun 04 16:16:21 2013] [error] [client 46.12.95.59] File does not exist: /home/nikos/public_html/500.shtml
[Tue Jun 04 16:16:24 2013] [error] [client 46.12.95.59] suexec failure: could not open log file
[Tue Jun 04 16:16:24 2013] [error] [client 46.12.95.59] fopen: Permission denied
[Tue Jun 04 16:16:24 2013] [error] [client 46.12.95.59] Premature end of script headers: koukos.py


I DONT KNOW WHAT ELSE TO TRY PLEASE HELP ILL TRY ANYTHING YOU SAY.

 

[Chris Angelico]

I DONT KNOW WHAT ELSE TO TRY PLEASE HELP ILL TRY ANYTHING YOU SAY.

You should try power surging your drivers. Have you got a spare power cord?

ChrisA

[1] http://www.oocities.org/timessquare/4753/bofh.htm

 

[Íéêüëáïò Êïýñáò]

Ôç Ôñßôç, 4 Éïõíßïõ 2013 5:33:03 ì.ì. UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

You should try power surging your drivers. Have you got a spare power cord?

Jokes are funny, but its over a week now the script is correct and the damnsuexec thing doesnt let me do my job.

 

[Mark Lawrence]

Ôç Ôñßôç, 4 Éïõíßïõ 2013 5:33:03 ì.ì. UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:



Jokes are funny, but its over a week now the script is correct and the damn suexec thing doesnt let me do my job.

I don't know much about the Python suexec module, can you please explain
where it's documented. Or is suexec nothing to do with Python?

--
"Steve is going for the pink ball - and for those of you who are
watching in black and white, the pink is next to the green." Snooker
commentator 'Whispering' Ted Lowe.

Mark Lawrence

 

[Chris “Kwpolska†Warrick]

I don't know much about the Python suexec module, can you please explain
where it's documented. Or is suexec nothing to do with Python?

From Wikipedia:
Apache suEXEC is a feature of the Apache Web server. It allows users to run CGI and SSI applications as a different user - normally, all web server processes run as the default web server user (often wwwrun, Apache or nobody).

In other words: Nikolaos is trying to do something HORRIBLY WRONG
(just like always). The proper way would be to run the python scripts
through WSGI as the standard nobody user. Or do proper file
permissions. And WSGI should be used through something intelligent
(flask/pyramid/…)

--- OT START ---

You should try power surging your drivers. Have you got a spare power cord?

ChrisA

[1] http://www.oocities.org/timessquare/4753/bofh.htm

Please link and read at the BOFH’s page. [0] is the page and [1] is
this exact story.

[0]: http://bofh.ntk.net/BOFH/index.php
[1]: http://bofh.ntk.net/BOFH/0000/bastard07.php

 

[Íéêüëáïò Êïýñáò]

All these popel i host thei websiets are friend fo mine and their webpages all of them run witohut any problem.

Only my perosnal webpage, which utilizes python has these kind of issues, the other pages re joomlas and dreamweavers.

Please as you see i have been trying anyhting i thought of and everything i googles and been told to.

But still this error insists.

I'm willing to let someone with full root access to my webhost to see thigns from the inside.

Does someone want to take o allok or at elast tell me what else i need to try, that hasn't been tried out yet?

 

[Chris Angelico]

I'm willing to let someone with full root access to my webhost to see thigns from the inside.

Does someone want to take o allok or at elast tell me what else i need totry, that hasn't been tried out yet?

You need to read up on what happens when you enter Dummy Mode and give
someone full root access to your web host. You really REALLY need to
understand what that means before you offer random strangers that kind
of access to someone else's data.

I've half a mind to take you up on your offer, then go look for
personal and private info from your clients, and email it to them
(along with a link to this thread) to point out what's going on.

ChrisA

 

[Íéêüëáïò Êïýñáò]

Ôç Ôñßôç, 4 Éïõíßïõ 2013 8:09:18 ì.ì. UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

You need to read up on what happens when you enter Dummy Mode and give

someone full root access to your web host. You really REALLY need to

understand what that means before you offer random strangers that kind

of access to someone else's data.



I've half a mind to take you up on your offer, then go look for

personal and private info from your clients, and email it to them

(along with a link to this thread) to point out what's going on.



ChrisA

I know what full root access mean.
I also trust you.
I'm hopeless man, its 1 week now dealing with this.

 

[Chris Angelico]

I know what full root access mean.
I also trust you.
I'm hopeless man, its 1 week now dealing with this.

The call is strong... I could rule the galaxy alongside my father...
I've searched my feelings, and I know this to be true!

Okay. I accept. I'll do as I promised. Might be interesting, and
educative - for someone, at least.

ChrisA

 

[Dennis Lee Bieber]

Since, i'm root i will open the file and alter the user nobody to root.
Can't i?

ACK! NEVER!

root should ONLY be used to install software and create user/group
accounts. And even then using SU or SUDO or similar from a restricted
user account is safer.

The whole reason the web-server runs as "nobody" is so that any
exploits (bugs that let outsiders gain access to a command line or
equivalent) end up in an environment where they can't do anything to the
system.

 

[Íéêüëáïò Êïýñáò]

Τη ΤετάÏτη, 5 Ιουνίου 2013 1:12:26 Ï€.μ. UTC+3, ο χÏήστης Chris Angelico έγÏαψε:

The call is strong... I could rule the galaxy alongside my father...

I've searched my feelings, and I know this to be true!



Okay. I accept. I'll do as I promised. Might be interesting, and

educative - for someone, at least.

Good Day Chris, thanks for accepting.

Please mail me and i will send you the root login credentials.
Before that happens i want to tell you that i have manages to disable 'suexec' and the error now became:


[Wed Jun 05 06:49:56 2013] [error] [client 46.12.95.59] (2)No such file or directory: exec of '/home/nikos/public_html/cgi-bin/koukos.py' failed
[Wed Jun 05 06:49:56 2013] [error] [client 46.12.95.59] Premature end of script headers: koukos.py

The script though its interpretign correctly as seen from

(e-mail address removed) [~/www/cgi-bin]# python koukos.py
Set-Cookie: nikos=admin; expires=Sat, 31 May 2014 03:55:16 GMT; Path=/ Content-type: text/html; charset=utf-8
ΞΞ Ξ ΞΞ© ΞΞΞ Ξ£Ξ�Ξ ΞΞΞΞ£ ΞΞΞ
(e-mail address removed) [~/www/cgi-bin]#

The mojabike is Greek as terminal outputs it.

 

[alex23]

[Wed Jun 05 06:49:56 2013] [error] [client 46.12.95.59] (2)No such file or directory: exec of '/home/nikos/public_html/cgi-bin/koukos.py' failed

The script though its interpretign  correctly as seen from
(e-mail address removed) [~/www/cgi-bin]# python koukos.py

Unless you're symlinking and expect us to use our psychic powers to
work that out, '/home/nikos/public_html/cgi-bin/koukos.py' <> '~/www/
cgi-bin/koukos.py'.

 

[Íéêüëáïò Êïýñáò]

Here is the script:

================================
#!/usr/bin/python
# coding=utf-8

import cgitb; cgitb.enable()
import cgi, os, sys, locale, codecs
from http import cookies

#needed line, script does *not* work without it
sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach())

# initialize cookie
cookie = cookies.SimpleCookie( os.environ.get('HTTP_COOKIE') )
cookie.load( cookie )
nikos = cookie.get('nikos')

# if visitor cookie does exist
if nikos:
message = "ÁÐÏ ÔÇÍ ÅÐÏÌÅÍÇ ÅÐÉÓÊÅØÇ ÓÏÕ ÈÁ ÓÅ ÕÐÏËÏÃÉÆÙ ÙÓ ÅÐÉÓÊÅÐÔÇ ÁÕÎÁÍÏÍÔÁÓ ÔÏÍ ÌÅÔÑÇÔÇ!"
cookie['nikos'] = 'admin'
cookie['nikos']['path'] = '/'
cookie['nikos']['expires'] = -1 #this cookie will expire now
else:
message = "ÁÐÏ ÄÙ ÊÁÉ ÓÔÏ ÅÎÇÓ ÄÅÍ ÓÅ ÅÉÄÁ, ÄÅÍ ÓÅ ÎÅÑÙ, ÄÅÍ ÓÅ ÁÊÏÕÓÁ! ÈÁ ÅÉÓÁÉ ÐËÅÏÍ Ï ÁÏÑÁÔÏÓ ÅÐÉÓÊÅÐÔÇÓ!!"
cookie['nikos'] = 'admin'
cookie['nikos']['path'] = '/'
cookie['nikos']['expires'] = 60*60*24*30*12 #this cookie will expire ina year


print( cookie, "Content-type: text/html; charset=utf-8\n", message )

sys.exit(0)
===================================

This doesn't make sense to me at all.I'll iam tryign to set is a cookie, iwas so happy finally disablin bloody 'suexec' and now this.

[Wed Jun 05 06:49:56 2013] [error] [client 46.12.95.59] (2)No such file or directory: exec of '/home/nikos/public_html/cgi-bin/koukos.py' failed
[Wed Jun 05 06:49:56 2013] [error] [client 46.12.95.59] Premature end of script headers: koukos.py

 

[Íéêüëáïò Êïýñáò]

Ôç ÔåôÜñôç, 5 Éïõíßïõ 2013 7:34:55 ð.ì.UTC+3, ï ÷ñÞóôçò alex23 Ýãñáøå:

[Wed Jun 05 06:49:56 2013] [error] [client 46.12.95.59] (2)No such fileor directory: exec of '/home/nikos/public_html/cgi-bin/koukos.py' failed


The script though its interpretign  correctly as seen from

(e-mail address removed) [~/www/cgi-bin]# python koukos.py

Unless you're symlinking and expect us to use our psychic powers to

work that out, '/home/nikos/public_html/cgi-bin/koukos.py' <> '~/www/

cgi-bin/koukos.py'.

Of course '/home/nikos/public_html/cgi-bin' = '/home/nikos/www/cgi-bin'
What this has to do with what i asked?