fastcgi permission error

[Carl Youngblood]

Hello, I'm trying to set up ruby-fastcgi on redhat 9. Everything seems
to be set up right, but I get an error in my apache logs when I try to
access a simple fcgi ruby script:

[Tue Sep 30 01:15:54 2003] [alert] [client 127.0.0.1] (13)Permission
denied: FastCGI: failed to connect to (dynamic) server
"/var/www/cgi-bin/test.fcgi": something is seriously wrong, any chance
the socket/named_pipe directory was removed?, see the FastCgiIpcDir
directive

A while back I was able to set up ruby-fcgi on a gentoo installation of
linux without ever running into this problem. Does anybody have any
ideas about what might be wrong?

Thanks,
Carl Youngblood

P.S. In case it's helpful, here is the sample script I'm trying to run:

#!/usr/local/bin/ruby
require 'cgi'
require 'fcgi'

FCGI.each_cgi do |cgi|
content = ''
env = []
cgi.env_table.each do |k,v|
env << [k,v]
end
env.sort!
env.each do |k,v|
content << %Q(#{k} => #{v}<br>\n)
end
cgi.out{content}
end

 

[Ara.T.Howard]

Hello, I'm trying to set up ruby-fastcgi on redhat 9. Everything seems to
be set up right, but I get an error in my apache logs when I try to access a
simple fcgi ruby script:

[Tue Sep 30 01:15:54 2003] [alert] [client 127.0.0.1] (13)Permission denied:
FastCGI: failed to connect to (dynamic) server "/var/www/cgi-bin/test.fcgi":
something is seriously wrong, any chance the socket/named_pipe directory was
removed?, see the FastCgiIpcDir directive

this means that either

a) the program did not run at all
b) the program ran, but spat out bad things

your program is a valid fcgi program - it runs on my host - so it's not b.

so, you obviously have apache set up, and configured for, mod_fastcgi since
the error logs have those messages.

a few easy things to consider:

first, what is the output of

~ > which -a ruby
~ > sudo su nobody -c './test.fcgi < /dev/null'

eg - can you run your program as user nobody (or whatever the web server
runs as) from the command line? of course you could eliminate this
possibility by simply

~ > chmod 755 ./test.fcgi
~ > ./test.fcgi < /dev/null

if not

do you have multiple installations of ruby? (1.6.8 and 1.8.0)
if so, do you have ruby-fcgi installed for each site_ruby dir?

i guess all that stuff may seem obvious - but i had to throw it out there...

about the only thing i have run across with ruby cgi programs that use modules
crashing is that, when you compile a module, say ruby-fcgi, it may depend on
other libraries:

ruby-fcgi -> libfastcgi.so

you can see this by, for example:

~ > ldd /usr/local/ruby-1.8.0/lib/ruby/site_ruby/1.8/i686-linux/fcgi.so
libfcgi.so.0 => /usr/local/lib/libfcgi.so.0 (0x40012000)
libc.so.6 => /lib/libc.so.6 (0x4001c000)
libgcc_s.so.1 => /usr/local/lib/libgcc_s.so.1 (0x40152000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4015a000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x2aaaa000)

so, when any program runs that requires 'fcgi.so', it, in turn, will cause the
linker to look for all the other libs it needs. sometimes the paths will be
incomplete and the linker will need to look for the others in LD_LIBRARY_PATH
or /etc/ld.so.conf. it can happen (it has to me) that a module _you_ require
works completely find because the directory of the libs _it_ depends on are in
your LD_LIBRARY_PATH and ld.so can find them. however, when you are running a
cgi it is user nobody that is running the script and his LD_LIBRARY_PATH may
not have a path where the depending lib can be found. i think i saw this with
the postgres module before... any how, you can fix it by configuring ld.so
(/etc/ld.so.conf) _or_ by compiling with LD_RUN_PATH set, which hard codes the
paths into the shared module. or by setting the global LD_LIBRARY_PATH but i
forget how to do that.

the only reason i point that out is that redhat routinely does NOT have
/usr/local/lib configured as a place for ld.so to look and many packages will
install their libs exactly there.

-a

A while back I was able to set up ruby-fcgi on a gentoo installation of
linux without ever running into this problem. Does anybody have any ideas
about what might be wrong?

Thanks,
Carl Youngblood

P.S. In case it's helpful, here is the sample script I'm trying to run:

#!/usr/local/bin/ruby
require 'cgi'
require 'fcgi'

FCGI.each_cgi do |cgi|
content = ''
env = []
cgi.env_table.each do |k,v|
env << [k,v]
end
env.sort!
env.each do |k,v|
content << %Q(#{k} => #{v}<br>\n)
end
cgi.out{content}
end

====================================
| Ara Howard
| NOAA Forecast Systems Laboratory
| Information and Technology Services
| Data Systems Group
| R/FST 325 Broadway
| Boulder, CO 80305-3328
| Email: (e-mail address removed)
| Phone: 303-497-7238
| Fax: 303-497-7259
| The difference between art and science is that science is what we understand
| well enough to explain to a computer. Art is everything else.
| -- Donald Knuth, "Discover"
| ~ > /bin/sh -c 'for lang in ruby perl; do $lang -e "print \"\x3a\x2d\x29\x0a\""; done'
====================================

 

[Carl Youngblood]

so, when any program runs that requires 'fcgi.so', it, in turn, will cause the

linker to look for all the other libs it needs. sometimes the paths will be
incomplete and the linker will need to look for the others in LD_LIBRARY_PATH
or /etc/ld.so.conf. it can happen (it has to me) that a module _you_ require
works completely find because the directory of the libs _it_ depends on are in
your LD_LIBRARY_PATH and ld.so can find them. however, when you are running a
cgi it is user nobody that is running the script and his LD_LIBRARY_PATH may
not have a path where the depending lib can be found.

Yep, that seems to be the problem. In fact, libfcgi.so.0 is not being
found for any user.

[carl@dhcppc1 carl]$ ldd
/usr/local/lib/ruby/site_ruby/1.8/i686-linux/fcgi.so
libfcgi.so.0 => not found
libdl.so.2 => /lib/libdl.so.2 (0x4001b000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x4001e000)
libm.so.6 => /lib/libm.so.6 (0x4004a000)
libc.so.6 => /lib/libc.so.6 (0x4006c000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)

libfcgi.so.0 is in /usr/local/lib. I added /usr/local/lib to
/etc/ld.so.conf, but I'm still seeing the same problem. I'm assuming
that it's just because editing the file doesn't update my environment
automatically. The thing is, I'm trying to write a shell script that
will take a default redhat installation and setup apache with ruby-fcgi
so I would like to know how to get my system to dynamically update my
changes to /etc/ld.so.conf.

Thanks for all the help.

Carl

 

[Carl Youngblood]

so, when any program runs that requires 'fcgi.so', it, in turn, will cause the

linker to look for all the other libs it needs. sometimes the paths will be
incomplete and the linker will need to look for the others in LD_LIBRARY_PATH
or /etc/ld.so.conf. it can happen (it has to me) that a module _you_ require
works completely find because the directory of the libs _it_ depends on are in
your LD_LIBRARY_PATH and ld.so can find them. however, when you are running a
cgi it is user nobody that is running the script and his LD_LIBRARY_PATH may
not have a path where the depending lib can be found. i think i saw this with
the postgres module before... any how, you can fix it by configuring ld.so
(/etc/ld.so.conf) _or_ by compiling with LD_RUN_PATH set, which hard codes the
paths into the shared module. or by setting the global LD_LIBRARY_PATH but i
forget how to do that.

Okay, so I updated /etc/ls.so.conf and even figured out that I needed to
run /sbin/ldconfig in order to update my changes. I also restarted the
httpd daemon just to make sure that it got those changes as well.
However, I'm still seeing the problem:

[Tue Sep 30 11:26:21 2003] [crit] (13)Permission denied: FastCGI: can't create (dynamic) server "/var/www/cgi-bin/test.fcgi": bind() failed [/etc/httpd/logs/fastcgi/dynamic/35830e69d0669b031643022d74f2d729]
[Tue Sep 30 11:26:26 2003] [alert] [client 127.0.0.1] (13)Permission denied: FastCGI: failed to connect to (dynamic) server "/var/www/cgi-bin/test.fcgi": something is seriously wrong, any chance the socket/named_pipe directory was removed?, see the FastCgiIpcDir directive

It may be, as you said, that the web server user (apparently redhat sets
up a user called apache for the web server to run as) can't see the
same library path that I can. However, I can't check since when run:

sudo su apache -c '/var/www/cgi-bin/test.fcgi < /dev/null'

It says "This account currently is not available." What's more, even
though my user could not see /usr/local/lib in its library path, it was
able to run the fcgi script from the command line, since ruby-fcgi seems
to bypass fcgi.so when it is running from the command line.

So, I think I am closer but there is still a problem.

Thanks,
Carl

 

[Aredridel]

--=-dVB903/rERNl1k/cyHzF
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

libfcgi.so.0 is in /usr/local/lib. I added /usr/local/lib to=20
/etc/ld.so.conf, but I'm still seeing the same problem. I'm assuming=20
that it's just because editing the file doesn't update my environment=20
automatically. The thing is, I'm trying to write a shell script that=20
will take a default redhat installation and setup apache with ruby-fcgi=20
so I would like to know how to get my system to dynamically update my=20
changes to /etc/ld.so.conf.

Run "ldconfig"

Ari

--=-dVB903/rERNl1k/cyHzF
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQA/ecHntP09exA3hooRAsSqAKCpRnc2Rr59Z4RdRaFfLO6ipf6npwCgnxaq
7Nob8gYaFX7//fNYRQ7LKWg=
=f1DQ
-----END PGP SIGNATURE-----

--=-dVB903/rERNl1k/cyHzF--

 

[Ara.T.Howard]

Okay, so I updated /etc/ls.so.conf and even figured out that I needed to run
/sbin/ldconfig in order to update my changes. I also restarted the httpd
daemon just to make sure that it got those changes as well. However, I'm
still seeing the problem:

[Tue Sep 30 11:26:21 2003] [crit] (13)Permission denied: FastCGI: can't
create (dynamic) server "/var/www/cgi-bin/test.fcgi": bind() failed
[/etc/httpd/logs/fastcgi/dynamic/35830e69d0669b031643022d74f2d729] [Tue
Sep 30 11:26:26 2003] [alert] [client 127.0.0.1] (13)Permission denied:
FastCGI: failed to connect to (dynamic) server
"/var/www/cgi-bin/test.fcgi": something is seriously wrong, any chance the
socket/named_pipe directory was removed?, see the FastCgiIpcDir directive

It may be, as you said, that the web server user (apparently redhat sets up
a user called apache for the web server to run as) can't see the same
library path that I can. However, I can't check since when run:

sudo su apache -c '/var/www/cgi-bin/test.fcgi < /dev/null'

o.k. - assuming it IS a linker problem

<straw_grasping>

i have seen this before - but don't know a work around. you probably can't
sudo su apache
then
/var/www/cgi-bin/test.fcgi < /dev/null
either?

....

other thoughts (debug hacks):

* set LD_LIBRARY_PATH in your cgi program BEFORE requiring any libs

ENV['LD_LIBRARY_PATH'] = path_to_fcgi_libs

* set

ENV['LD_DEBUG'] = 'all'
ENV['LD_DEBUG_OUTPUT'] = './ld_debug_output'

(man ld.so)

and try again. this should produce a file 'ld_debug_output' in the same
directory as the fcgi program that tells you what loaded/did not load.

BE SURE TO HAVE THE FGI PROGRAM AND IT'S DIRECTORY 777 - JUST TO BE SURE.

It says "This account currently is not available." What's more, even though
my user could not see /usr/local/lib in its library path, it was able to run
the fcgi script from the command line, since ruby-fcgi seems to bypass
fcgi.so when it is running from the command line.

So, I think I am closer but there is still a problem.

i have a redhat 9 machine. i'm setting up fastcgi on it now to try to
duplicate your problem...

-a
====================================
| Ara Howard
| NOAA Forecast Systems Laboratory
| Information and Technology Services
| Data Systems Group
| R/FST 325 Broadway
| Boulder, CO 80305-3328
| Email: (e-mail address removed)
| Phone: 303-497-7238
| Fax: 303-497-7259
| The difference between art and science is that science is what we understand
| well enough to explain to a computer. Art is everything else.
| -- Donald Knuth, "Discover"
| ~ > /bin/sh -c 'for lang in ruby perl; do $lang -e "print \"\x3a\x2d\x29\x0a\""; done'
====================================

 

[Carl Youngblood]

o.k. - assuming it IS a linker problem

<straw_grasping>

i have seen this before - but don't know a work around. you probably can't
sudo su apache
then
/var/www/cgi-bin/test.fcgi < /dev/null
either?

No, it won't let me do that either.

other thoughts (debug hacks):

* set LD_LIBRARY_PATH in your cgi program BEFORE requiring any libs

ENV['LD_LIBRARY_PATH'] = path_to_fcgi_libs

* set

ENV['LD_DEBUG'] = 'all'
ENV['LD_DEBUG_OUTPUT'] = './ld_debug_output'

(man ld.so)

and try again. this should produce a file 'ld_debug_output' in the same
directory as the fcgi program that tells you what loaded/did not load.

BE SURE TO HAVE THE FGI PROGRAM AND IT'S DIRECTORY 777 - JUST TO BE SURE.

</straw_grasping>

This didn't seem to make any difference. FYI, LD_LIBRARY_PATH isn't set
in my environment before I set it.

Carl

 

[Carl Youngblood]

Wow. Thanks a lot for taking time to work on this. I had tried setting
the ipc dir last night, and I even read the manual but got error
messages during apache startup, so I took it out. The weird thing is,
unless I chmod the logs/fastcgi directory to 777, the server can't
access it, even though the server is supposed to be running as apache
and the directory is owned by apache. The error message it was giving
me was:

Syntax error on line 223 of /etc/httpd/conf/httpd.conf:
FastCgiIpcDir /etc/httpd/logs/fastcgi: access for server (uid -1, gid
-1) failed: write not allowed

When I recursively chmod it to 777, I stop getting the error message on
Apache startup, but I wanted a less kludgy solution. I found that the
problem was because httpd.conf was setting the apache user later on in
my conf file. After I moved the user and group settings to the top of
the conf file, the error on startup went away without having to 777 the
fastcgi log dir.

However, I was still getting the 500 error, even after following all of
your suggestions. It appears that the error is related somehow to this
directory, because my error log says:

[Tue Sep 30 16:18:40 2003] [crit] (13)Permission denied: FastCGI: can't
create (dynamic) server "/var/www/cgi-bin/test.fcgi": bind() failed
[/etc/httpd/logs/fastcgi/dynamic/35830e69d0669b031643022d74f2d729]
[Tue Sep 30 16:18:44 2003] [alert] [client 127.0.0.1] (13)Permission
denied: FastCGI: failed
to connect to (dynamic) server "/var/www/cgi-bin/test.fcgi": something
is seriously wrong, any chance the socket/named_pipe directory was
removed?, see the FastCgiIpcDir directive

As if it is trying to create some temporary file in this directory and
is failing. The problem is that even when it is 777 it still seems to
fail. Adding the ENV statement in the fcgi script didn't seem to do
anything.

So I went out to the web to look for this particular error and I found a
posting about someone who had the same problem with red hat 8 here:
http://www.fastcgi.com/archives/fastcgi-developers/2002-December/002470.html

He said that since the server root is in /etc/httpd and that
/etc/httpd/logs is really a symlink to /var/log/httpd, fastcgi is having
permission problems. The solution is to get rid of the /etc/httpd/logs
symlink and make it a real directory instead, copying all the old log
files from /var/log/httpd into the new directory. Then just
leave FastCgiIpcDir the same or even get rid of it and it will work
fine. I guess fastcgi doesn't work well with symlinks.

Even weirder was the fact that setting FastCgiIpcDir to
/var/log/httpd/fastcgi also didn't work--just the fact that apache was
symlinking to the same dir caused it not to like it. However, when I
changed FastCgiIpcDir to some other full path, such as /tmp, it worked
just fine.

Anyway, I think the best solution to the problem is to get rid of the
logs symlink in /etc/httpd and change it to a real directory.

Thanks again for all your help.

Carl