Re: [Tutor] my membership and access to the Tutor list
Forwarding to the list for comment. Always use Reply All9Or Reply List if your mailer supports it) when including the list members. Alan G On 12/05/15 11:24, Stewart Lawton wrote: Hi Alan I have worked though the file permissions cogniscent of your comments to see if I can find what is failing in apache access to a python created unix socket. Points 1) ,..., 12) give the results. In particular I do not understand how to set the user of uds_socket to apache or set the write permission of uds_socket group to rwx. I think that either change should enable successful operation, comments please! In answer to your other questions: I chose Unix Sockets since I had very similar access problems with IP sockets. I would like to remote control an embedded device from a laptop. The target will be Raspberrypi that in turn communicates to ARM Cortex M3 devices that are capable of correct Nyquist sampling, that Unix based devices cannot guarantee. I chose Python since it is so widely used and I need to learn that language processor. I appreciate there are many ways other ways of achieving this end but I think this one ought to work! Many Thanks for your help, Stewart Lawton 1) /etc/httpd/conf/httpd.conf species the apache server user and group as:- # User/Group: The name (or #number) of the user/group to run httpd as. # It is usually good practice to create a dedicated user and group for # running httpd, as with most system services. # User apache Group apache 2)apache is started with command sudo ./startapache that contains:- systemctl start httpd.service 3) the process status of apache is found by command ps -el the following is taken from the status report:- F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD 4 S 0 2226 1 0 80 0 - 7493 poll_s ? 00:00:00 httpd 5 S48 2227 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd 5 S48 2228 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd 5 S48 2229 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd 5 S48 2230 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd 5 S48 2233 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd 4) The user identity UID ,48,is used to find the user and group given in /etc/passwd :- apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin The user and group identies are given as 48:48 so the user and group are apache and apache. 5)The above hopefully establishes that the server has permissions on user and groups named as apache. 6)I created a test directory at /test to be used to contain the file node uds_socket. drwxrwxr-x. 2 apache apache 4096 May 11 20:15 test 7) on starting the Socket server that listens for an incoming connection the new uds_socket is created with user and group permissions as shown:- srwxr-xr-x. 1 johnlawton apache 0 May 12 10:22 /test/uds_socket 8)I do not understand what function the s bit performs here. I note that group access cannot write the file. 9) When I execute the myUnix2.cgi script from /var/www/cgi_bin with johnlawton as user with primary group apache the script executes and the listening server responds correctly. I note johnlawton has rwx access but the group apache access is limited to r-x. 10) When the apache server executes the myUnix2.cgi script failure results in failing to access the socket. 11) Summary. I think the server fails as it can only get group access and group access is limited to r-x NO w permission. 12) How can I get UDS_Socket to be created with apache as user(hence allowing rwx) or enable apache group access with w permission? *From:* Alan Gauld alan.ga...@btinternet.com *To:* Stewart Lawton jstewartlaw...@yahoo.co.uk; tutor tutor@python.org *Sent:* Friday, 8 May 2015, 10:33 *Subject:* Re: my membership and access to the Tutor list On 08/05/15 09:09, Stewart Lawton wrote: Hi Alan Thank you very much for your response to my Tutor@python.org mailto:Tutor@python.org question. I thought my membership was complete and that I could log in to answer your comments. The tutor list is a mailing list not a web forum. You don't login to answer comments you send an email reply. Use Reply to send to the individual (as you've just done with me) or, more usually, use ReplyAll (or ReplyList if your mail tool has that feature) to reply to everyone on the list. Use plain text to preserve code layout and use interleaved posting (as I'm doing here) rather than top-posting. I found I could not login again. PLEASE can you help to get my password reset? Only you can change the password, its purely web based. I only approve messages in the moderation queue, virtually nothing else. But the password just gives you access to your admin settings. I think I am failing to understand what user and or group permissions are required between apache python, and the python myUnix2.cgi program I am using. OK, I'm no expert here but several things about
Re: [Tutor] my membership and access to the Tutor list
On 08/05/15 09:09, Stewart Lawton wrote: Hi Alan Thank you very much for your response to my Tutor@python.org question. I thought my membership was complete and that I could log in to answer your comments. The tutor list is a mailing list not a web forum. You don't login to answer comments you send an email reply. Use Reply to send to the individual (as you've just done with me) or, more usually, use ReplyAll (or ReplyList if your mail tool has that feature) to reply to everyone on the list. Use plain text to preserve code layout and use interleaved posting (as I'm doing here) rather than top-posting. I found I could not login again. PLEASE can you help to get my password reset? Only you can change the password, its purely web based. I only approve messages in the moderation queue, virtually nothing else. But the password just gives you access to your admin settings. I think I am failing to understand what user and or group permissions are required between apache python, and the python myUnix2.cgi program I am using. OK, I'm no expert here but several things about your program have me puzzled. First remember that the web server will have its own user account and thus your code is effectively being run by another user. So any permissions on your files need to allow that user to have access. This is obviously a security risk and the reason its best not to have web programs accessing files in a users area but to copy any files needed into the web server space. This program script is listed below, hopefully with spaces corrected Spacing is now legal, but you should increase the indentation to make it more readable. Consider 2 spaces as the absolute minimum, most people use 3 or 4. If you ever submit code to the Python standard library it must use 4 spaces. One space makes the indentation hard to line up and almost defeats the point of having it. path to uds_socket corrected as Felix Dietricl suggested may be and Issue. 1) From my user directory I issued the script Unix2.cgi to a listening Unix sockets server and this worked OK. 2) the permissions of Unix2.cgi are:- -rwxrwxrwx. 1 johnlawton johnlawton 987 May 7 17:55 myUnix2.cgi This is not good from security but surely proves the script can execute if permissions are not considered. 3)This file is copied to the apache cgi directory /var/www/cgi-bin with the permissions forced as -rwxrwxrwx. 1 johnlawton johnlawton 987 May 7 18:19 ../../../var/www/cgi-bin/myUnix2.cgi 4) Execution of the cgi script directly works OK. OK, Permissions of the cgi script are not critical they just need to be executable to the web server. So you could have ---r-xrwx and it should be more secure and work OK. What is important is that you change ownership to whatever the apache user account is (local config, I can't help there you'll need to look at the files). 5) http is enabled in the fedora firewall 6)The apache server is started using sudo systemctl start httpd.service. When firefox is used to have Unix2.cgi executed the localhost receives the following error report. Traceback (most recent call last): File /var/www/cgi-bin/myUnix2.cgi, line 37, in module creSockettoServer() File /var/www/cgi-bin/myUnix2.cgi, line 26, in creSockettoServer sys.exit(1) SystemExit: 1 7) The copy process of myUnix2.cgi from my user directory to /var/www/cgi-bin but setting user and group to root with full permissions results in -rwxrwxrwx. 1 root root 987 May 7 18:45 ../../../var/www/cgi-bin/myUnix2.cgi OK, But I sincerely hope the web server is NOT running as root, that would be a security disaster and a crackers paradise! 8)When firefox is used to have Unix2.cgi executed the localhost receives the same error report given under 6). 9) summary since the 'o' permissions are forced to rwx the script should execute no matter what use group are specified? 10) How do I establish neccessary cgi permissions? The problems are not with your script but with the socket you are trying to create, or the path to it. Its those permissions that likely need to be changed. #!/usr/bin/env python import cgi import socket import sys def htmlTop(): print(Content-type:text/html\n\n DOCTYPE html html lang=en head meta charset=utf-8 / title MyServer Template /title /head body) def htmlTail(): print(body/ /html) def creSockettoServer(): sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) server_address = '/home/johnlawton/workspace/myUnixSock/uds_socket' I confess I've never used a socket like this, indeed I was only vaguely aware of their existence! I assume you have previous experience of using UNIX domain sockets (in C?) since there is relatively little tutorial help out there. I've always used sockets for IP and given an IP address to the socket. So I can only guess what's going on in your case. Can I ask what you are trying to do in your program that you need UNIX sockets? Just curious.