- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: SWS/Apache Config Problem
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2014 11:39 AM
05-22-2014 11:39 AM
SWS/Apache Config Problem
I've been using SWS to serve the output from some simple DCL scripts, but would like to be able to run some DCL under my username to give them more priviliges. From the Install & Config Gde, tt looked like the SUexec option should do it, but its not working for me.
So far:
- In the SWS menu:
--- Enabled SUexec
--- Had SUexec add new Identifiers to my username
- Created [APACHE.HTDOCS.SUEXEC.mysername] dir & changed ownership to my username
- Added the following line to httpd.conf & restarted SWS:
ScriptAlias /PGM/ /diskname/APACHE/HTDOCS/SUEXEC/myusername/
- Created a simple DCL file in the above dir with SHOW PROCESS cmd
When I run the above script (from my browser), it shows the User as still being Apache and not my account, as I expected.
What steps have I missed? TIA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2014 04:14 PM
05-22-2014 04:14 PM
Re: SWS/Apache Config Problem
Ugly, but I'd probably use DCL DECnet task-to-task http://h71000.www7.hp.com/wizard/wiz_0159.html here.
I'd avoid allowing Apache direct access to anything that I cared about, too. Keep the access partitioned and keep the potential for damage contained.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2014 07:22 PM
05-23-2014 07:22 PM
Re: SWS/Apache Config Problem
The following sections discuss the implementation of suEXEC in the Secure Web Server and provides a simple example.
suEXEC Security Model
suEXEC in the Secure Web Server uses rights identifiers to indicate authorized users to run suEXEC as well as users to be run via suEXEC.
The Secure Web Server does not use UID/GID minimums to determine the validity of the calling user. Use of the SETUID/SETGID restrictions on the invoked CGI or SSI program is currently not implemented.
suEXEC in the Secure Web Server supports the use of the User and UserDir directives within virtual hosts, and also supports the EXEC CGI mod_include directive.
There are no restrictions on OpenVMS account privileges or MAXSYSGROUP for suEXEC programs.
Configuring suEXEC
You can configure suEXEC using the configuration utility provided with the installation (SYS$MANAGER:APACHE$CONFIG.COM). This utility allows you to enable or disable the suEXEC feature for a given server.
To enable suEXEC, run SYS$MANAGER:APACHE$CONFIG.COM and answer Yes to the question about enabling the suEXEC feature.
The suEXEC image is installed with privileges.
When you enable suEXEC, the following occur:
- The APACHE$SUEXEC_SRVR and APACHE$SUEXEC_USER rights identifiers are created in the rights database, if they do not already exist.
- The APACHE$SUEXEC_SRVR rights identifier is granted to the server account, and the user is prompted to enter user accounts that are to be run via suEXEC. These user accounts are granted the APACHE$SUEXEC_USER rights identifier.
- An suEXEC directory is created within the htdoc root (APACHE$COMMON:[HTDOCS.SUEXEC]) and set with the appropriate default ACEs that allow the Apache server read access to the suEXEC CGI/SSI programs.
After you have enabled suEXEC, manually perform the following steps:
For each user account to be run via suEXEC, create a directory owned by that user under the suEXEC directory. For example, if you create a directory named "user", it will be located in APACHE$COMMON:[HTDOCS.SUEXEC.user].
NOTE: This is specifically the APACHE$COMMON:[HTDOCS.SUEXEC] directory do not create the user directory in APACHE$ROOT:[HTDOCS.SUEXEC].Example DCL/CGI:
$ create apache$common:[htdocs.suexec.retterer]message.com
$!*********** message.com *******************************
$!* Created by Rick Retterer - HP Support 2005.
$!* Demonstrates the use of suEXEC in SWS for OpenVMS
$!*******************************************************
$ set noon
$!
$ write sys$output f$fao("!AS!/!/", "Content-type: text/plain")
$ write sys$output f$fao("!AS!/", -
"CGI test script (mess.com) report:")
$ show process/priv
$ show system/net
$ write sys$output f$fao("!AS!/", " ")
$ write sys$output f$fao("!AS!/", "Current user: ")
$ show system/process='f$getjpi("","PRCNAM")'
$ show time
$ exit
<CTRL+Z>Within each virtual host configuration, in the httpd.conf file use the Alias or ScriptAlias directive to define a location for the suEXEC CGI/SSI programs to be used.
Example:
<VirtualHost _default_:*>
User retterer
Group "#320"
ScriptAlias /retterer/ "/apache$common/htdocs/suexec/retterer/"
</VirtualHost>NOTE: To obtain the "Group" id, follow these steps to obtain it and convert it from octal to decimal$ SET DEFAULT SYS$SYSTEM
$ MCR AUTHORIZE SHOW RETTERER/BriefOwner Username UIC Account Privs Pri Directory
RICK RETTERER RETTERER [500,501] UXWIL All 4 SYS$SYSDEVICE:[RETTERER]
$ x=%o500 ! 500 is the Retterer account group id in octal.
$ show sym x
X = 320 Hex = 00000140 Octal = 00000000500In the example above, the Group number is 320.
Save your changes to the httpd.conf file and Start the Secure Web Server.
$ @sys$startup:apache$startup
Access the CGI file that you have created in the apache$common:[htdocs.suexec.user] sub-directory using your Secure Web Browser.
URL> http://visual.alf.cpqcorp.net/user/message.com
*** Output looks similar to this ****
CGI test script (message.com) report:
7-APR-2005 16:36:36.31 User: RETTERER Process ID: 0000028B
Node: VISUAL Process name: "RETTERER_37"Authorized privileges:
NETMBX TMPMBXProcess privileges:
NETMBX may create network device
TMPMBX may create temporary mailboxProcess rights:
RETTERER
APACHE$SUEXEC_USERSystem rights:
SYS$NODE_VISUASoft CPU Affinity: off
OpenVMS V8.2 on node VISUAL 7-APR-2005 16:36:36.33 Uptime 0 02:40:15
Pid Process Name State Pri I/O CPU Page flts Pages
00000214 TCPIP$FTP_1 LEF 10 189 0 00:00:00.14 847 292 N
00000216 TCPIP$XDM_1 LEF 10 205 0 00:00:00.13 599 228 NCurrent user:
OpenVMS V8.2 on node VISUAL 7-APR-2005 16:36:36.34 Uptime 0 02:40:15
Pid Process Name State Pri I/O CPU Page flts Pages
00000289 RETTERER_10 HIB 1 402 0 00:00:00.15 493 477 S
0000028B RETTERER_37 CUR 4 162 0 00:00:00.09 494 180 S
7-APR-2005 16:36:36To disable suEXEC, run SYS$MANAGER:APACHE$CONFIG.COM and answer "No" to the question about enabling the suEXEC feature.
When you disable suEXEC, the following occur:
- The suEXECACEs are removed from all files within the Apache root.
- The APACHE$SUEXEC_SRVR rights identifier is revoked from the server account (APACHE$WWW) and the user is prompted about whether to disable all suEXECservers.
- The user is prompted about whether to disable all suEXECusers.
- If no server accounts remain enabled, the APACHE$SUEXEC_SRVR rights identifier is removed from the rights database.
- If no user accounts remain enabled, the APACHE$SUEXEC_USER rights identifier is removed from the rights database
Reference
HP's Secure Web Server for OpenVMS Installation/Configuration Guide
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2014 10:44 AM
05-27-2014 10:44 AM
Re: SWS/Apache Config Problem
Rick,
Thanks for the added info. I'm not very familiar with Apache config. I copied your VirtualHost segment to the end of my httpd.conf, changing values where appropriate, but am getting this error on Apache startup:
User cannot occur within <VirtualHost> section
I read the VirtualHost info on the apache.org web site, but am still confused.
Any suggestions? Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2014 02:14 PM
05-27-2014 02:14 PM
Re: SWS/Apache Config Problem
1: could you elaborate on what you are confused about — open-ended questions tend to require full documentation sets to answer. Explaining your confusion can sometimes also possibly help you understand some of the details, and it'll definitely help us narrow down the scope of answers around the Apache configuration files.
2: please post your (errant) configuration file, possibly obfuscating domains (consistently!) to example.org, example.net or example.com as necessary, or otherwise masking any sensitive information.
The doc that Rick is citing looks odd and it's not something I see referenced in the OpenVMS Apache docs. (Having to convert octal to decimal was a nice touch, too, but I digress.)
Here's what's posted for suEXEC support with
http://h71000.www7.hp.com/openvms/products/ips/apache/csws_iguide_22.pdf
http://h71000.www7.hp.com/openvms/products/ips/apache/csws_iguide_211.html
and the @SYS$MANAGER:APACHE$CONFIG tool.
Watch out for this bug, too:
If suEXEC is enabled in the initial configuration, SWS cannot add a node in a cluster environment If you enable suEXEC during the initial configuration of SWS or by using Option 4 (Manage suEXEC users) from the SWS Configuration Menu, then Option 10 of the SWS configuration menu (Add a node to CSWS in a cluster environment) fails. As a temporary workaround, use Option 4 to disable suEXEC and use Option 10 to add the node, and then use Option 4 to re-enable suEXEC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2014 03:20 PM
05-28-2014 03:20 PM
Re: SWS/Apache Config Problem
Hoff,
Looks to me as if Rick took HP's Apache install doc and added some additional notes, which I then tried to use.
My httpd.conf file is the orignal file, with the VirtualHost container that Rick mentioned added to the end. I have a feeling that simply adding this container is not enough, which is where I'm confused.
Here's the end of my httpd.conf file and the error msg I get:
...
#
#Include /apache$root/conf/ssl.conf
Include /apache$common/conf/mod_perl.conf
Include /apache$root/conf/mod_php.conf
#
#
<VirtualHost _default_:*>
User myusername
Group "#8"
ScriptAlias /myusernamet/ "/apache$common/htdocs/suexec/myusername/"
</VirtualHost>
$ @SYS$STARTUP:APACHE$STARTUP.COM RESTART
Syntax error on line 1012 of /apache$common/conf/httpd.conf:
User cannot occur within <VirtualHost> section
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2014 05:19 PM
05-29-2014 05:19 PM
Re: SWS/Apache Config Problem
Gents,
I used that configuration to setup SWS/Apache for another customer and it worked out very well for him. However, I haven't tested it with the latest version of SWS/Apache. Give me a couple of days to work with it and iron out the kinks. There shouldn't be any reason why you can't use SuExec within a virtual server. But, I'll have to go back over everything again. I'll try to have something over the weekend. I'll be testing this on a 2.2 ECO2 version of SWS, on an I64 RX2620 with OpenVMS 8.4.
I'm sorry that my document confused you that was not my intent.
I'll post my results here when I have it worked out.
Cheers,
Rick R.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2014 04:30 PM
05-30-2014 04:30 PM
Re: SWS/Apache Config Problem
The suEXEC setup in the previously-linked doc is quite different than the configuration-based approach that's been posted here.
I haven't looked to see what's happening underneath that approach; how or if that's modifying the configuration file.
If the procedure-based suEXEC setup approach is blowing up, then there's a bug here, and fodder for an escalation.
Pending resolution, I'd then fall back to DCL DECnet task-to-task, or equivalent.
Ugh. "Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied." Really? Other than that there is no HTML in this post?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 09:29 AM
06-02-2014 09:29 AM
Re: SWS/Apache Config Problem
Gents,
Sorry it has taken me so long to get back to this, but I do have it working again on 2.2 ECO2 of CSWS for OpenVMS I64 and Alpha.
There were changes made in 2.2 to what can be used in the <Virtualhost> container. The first part of what I posted before remains the same. I'll include it here for completeness:
The following sections discuss the implementation of suEXEC in the Secure Web Server and provides a simple example.
suEXEC Security Model
suEXEC in the Secure Web Server uses rights identifiers to indicate authorized users to run suEXEC as well as users to be run via suEXEC.
The Secure Web Server does not use UID/GID minimums to determine the validity of the calling user. Use of the SETUID/SETGID restrictions on the invoked CGI or SSI program is currently not implemented.
suEXEC in the Secure Web Server supports the use of the User and UserDir directives within virtual hosts, and also supports the EXEC CGI mod_include directive.
There are no restrictions on OpenVMS account privileges or MAXSYSGROUP for suEXEC programs.
Configuring suEXEC
You can configure suEXEC using the configuration utility provided with the installation
(SYS$MANAGER:APACHE$CONFIG.COM). This utility allows you to enable or disable the suEXEC feature for a given server.
To enable suEXEC, run SYS$MANAGER:APACHE$CONFIG.COM and answer Yes to the question about enabling the suEXEC feature.
The suEXEC image is installed with privileges.
When you enable suEXEC, the following occur:
- The APACHE$SUEXEC_SRVR and APACHE$SUEXEC_USER rights identifiers are created in the rights database, if they do not already exist.
- The APACHE$SUEXEC_SRVR rights identifier is granted to the server account, and the user is prompted to enter user accounts that are to be run via suEXEC. These user accounts are granted the APACHE$SUEXEC_USER rights identifier.
- An suEXEC directory is created within the htdoc root (APACHE$COMMON:[HTDOCS.SUEXEC]) and set with the appropriate default ACEs that allow the Apache server read access to the suEXEC CGI/SSI programs.
After you have enabled suEXEC, manually perform the following steps:
For each user account to be run via suEXEC, create a directory owned by that user under the suEXEC directory. For example, if you create a directory named "user", it will be located in APACHE$COMMON:[HTDOCS.SUEXEC.user].
NOTE: This is specifically the APACHE$COMMON:[HTDOCS.SUEXEC] directory do not create the user directory in APACHE$ROOT:[HTDOCS.SUEXEC].Example DCL/CGI:
$ create apache$common:[htdocs.suexec.retterer]message.com
$!*********** message.com *******************************
$!* Created by Rick Retterer - HP Support 2005.
$!* Demonstrates the use of suEXEC in SWS for OpenVMS
$!*******************************************************
$ set noon
$!
$ write sys$output f$fao("!AS!/!/", "Content-type: text/plain")
$ write sys$output f$fao("!AS!/", -
"CGI test script (mess.com) report:")
$ show process/priv
$ show system/net
$ write sys$output f$fao("!AS!/", " ")
$ write sys$output f$fao("!AS!/", "Current user: ")
$ show system/process='f$getjpi("","PRCNAM")'
$ show time
$ exit
<CTRL+Z>Within each virtual host configuration, in the httpd.conf file use the Alias or ScriptAlias directive to define a location for the suEXEC CGI/SSI programs to be used.
For CSWS v2.2 ECO2 here is the syntax to be used:
<Virtualhost>
...
..
.
#User retterer <<<--- Comment out or remove in CSWS 2.2 ECO2 Servers
# Group "#320" <<<--- Comment out or remove in CSWS 2.2 ECO2 Servers
SuexecUserGroup retterer "#320"
ScriptAlias /retterer/ "/apache$common/htdocs/suexec/retterer/"
.....
.
</Virtualhost>
The User and Group Directives have been obsoleted in the Apache 2.0 server.
(Leave out the User and Group directives, all that is needed is the SuexecUserGroup <username> "<group#>")
NOTE: To obtain the "Group" id, follow these steps to obtain it and convert it from octal to decimal$ SET DEFAULT SYS$SYSTEM
$ MCR AUTHORIZE SHOW RETTERER/BriefOwner Username UIC Account Privs Pri Directory
RICK RETTERER RETTERER [500,501] UXWIL All 4 SYS$SYSDEVICE:[RETTERER]
$ x=%o500 ! 500 is the Retterer account group id in octal.
$ show sym x
X = 320 Hex = 00000140 Octal = 00000000500In the example above, the Group number is 320.
5. BEFORE you save your changes, check to ensure that you have un-commented the "mod_suexec" line in the
modules section of your httpd.conf file.
Example:
LoadModule setenvif_module modules/mod_setenvif.exe
#LoadModule suexec_module modules/mod_suexec.exe <<<----- Un-Comment this line here.
LoadModule auth_openvms_module modules/mod_auth_openvms.exeRemove the comment-delimiter (#) from in front of the line that is used to load the suexec module.
Then save your file and exit your editor.
6. You are now ready to stop/restart the Apache Server software.
$ @sys$startup:apache$shutdown.com
{wait a few seconds for the server to shutdown and write out the log files}
$ @sys$startup:apache$startup.com
The CSWS Server will restart cleanly and without any errors.
The rest of the document that I posted before, should be exactly the same from this point forward.
To test that you Suexec module is working properly using the URL:
http://ip.address.of.system/retterer/message.com
EXAMPLE:
http://192.168.1.101/retterer/message.com
CGI test script (message.com) report: 2-JUN-2014 12:15:51.79 User: RETTERER Process ID: 0000047A Node: VISUAL Process name: "RETTERER_10537" Authorized privileges: NETMBX TMPMBX Process privileges: NETMBX may create network device TMPMBX may create temporary mailbox Process rights: RETTERER SMH$ADMIN APACHE$SUEXEC_USER APACHE$EXECUTE System rights: SYS$NODE_VISUAL OpenVMS V8.4 on node VISUAL 2-JUN-2014 12:15:51.80 Uptime 0 01:29:34 Pid Process Name State Pri I/O CPU Page flts Pages 0000041F EVL HIB 6 72 0 00:00:00.03 126 148 N 00000428 TCPIP$FTP_1 LEF 10 744 0 00:00:00.19 3106 696 N 0000042B TCPIP$METRIC_1 LEF 10 137 0 00:00:00.04 272 236 N 00000430 TCPIP$SNMP_1 LEF 9 5749 0 00:00:00.24 534 401 N 00000433 TCPIP$XDM_1 LEF 10 241 0 00:00:00.05 423 375 N 0000043A TCPIP$SSH_BG166 LEF 10 55392 0 00:00:04.76 776 779 N Current user: OpenVMS V8.4 on node VISUAL 2-JUN-2014 12:15:51.81 Uptime 0 01:29:34 Pid Process Name State Pri I/O CPU Page flts Pages 0000047A RETTERER_10537 CUR 0 4 217 0 00:00:00.05 427 175 S 2-JUN-2014 12:15:51
As you can see, Instead of using APACHE$WWW the MESSAGE.COM file, is executing under my USER ACCOUNT.
I will update my articles on this subject to reflect the new changes for CSWS v2.2 ECO2
Further information on SUEXEC can be found in the CSWS v2.2 Documentation that is included with the CSWS software.
Let me know if you have any additional Questions.
Cheers,
Rick R.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2014 01:40 PM
06-05-2014 01:40 PM
Re: SWS/Apache Config Problem
Rick, thanks for the update.
Still not working for me. Getting a "The requested URL /username/message.com was not found on this server" err.
Steps:
- Uncommented "#LoadModule suexec_module modules/mod_suexec.exe"
- testing with a username with UIC [10,n]
- created dir as directed
- added the following to the end of the vanilla httpd.conf file:
<VirtualHost>
SuexecUserGroup username "#8"
ScriptAlias /username/ "/apache$common/htdocs/suexec/username/"
</VirtualHost>
No displayed errors on Apache startup. No errors in Apache log files.
Seems like I'm missing something obvious.