Operating System - OpenVMS
1748038 Members
5083 Online
108757 Solutions
New Discussion

Re: SWS/Apache Config Problem

 
Jack Trachtman
Super Advisor

SWS/Apache Config Problem

I've been using SWS to serve the output from some simple DCL scripts, but would like to be able to run some DCL under my username to give them more priviliges. From the Install & Config Gde, tt looked like the SUexec option should do it, but its not working for me.

 

So far:

- In the SWS menu:

--- Enabled SUexec

--- Had SUexec add new Identifiers to my username

 

- Created [APACHE.HTDOCS.SUEXEC.mysername] dir & changed ownership to my username

 

- Added the following  line to httpd.conf & restarted SWS:

ScriptAlias /PGM/  /diskname/APACHE/HTDOCS/SUEXEC/myusername/

 

- Created a simple DCL file in the above dir with SHOW PROCESS cmd

 

When I run the above script (from my browser), it shows the User as still being Apache and not my account, as I expected.

 

What steps have I missed?  TIA

10 REPLIES 10
Hoff
Honored Contributor

Re: SWS/Apache Config Problem

Ugly, but I'd probably use DCL DECnet task-to-task http://h71000.www7.hp.com/wizard/wiz_0159.html here.


I'd avoid allowing Apache direct access to anything that I cared about, too.  Keep the access partitioned and keep the potential for damage contained.

Rick_Retterer
Visitor

Re: SWS/Apache Config Problem

The following sections discuss the implementation of suEXEC in the Secure Web Server and provides a simple example.

 

suEXEC Security Model

 

suEXEC in the Secure Web Server uses rights identifiers to indicate authorized users to run suEXEC as well as users to be run via suEXEC.

The Secure Web Server does not use UID/GID minimums to determine the validity of the calling user. Use of the SETUID/SETGID restrictions on the invoked CGI or SSI program is currently not implemented.

suEXEC in the Secure Web Server supports the use of the User and UserDir directives within virtual hosts, and also supports the EXEC CGI mod_include directive.

There are no restrictions on OpenVMS account privileges or MAXSYSGROUP for suEXEC programs.

 

Configuring suEXEC

 

You can configure suEXEC using the configuration utility provided with the installation (SYS$MANAGER:APACHE$CONFIG.COM). This utility allows you to enable or disable the suEXEC feature for a given server.

NOTE: Before you enable suEXEC, be sure that the user accounts that are to be run via suEXEC have been created.
 
  1. To enable suEXEC, run SYS$MANAGER:APACHE$CONFIG.COM and answer Yes to the question about enabling the suEXEC feature.

     

    The suEXEC image is installed with privileges.

    When you enable suEXEC, the following occur:

    • The APACHE$SUEXEC_SRVR and APACHE$SUEXEC_USER rights identifiers are created in the rights database, if they do not already exist.
    • The APACHE$SUEXEC_SRVR rights identifier is granted to the server account, and the user is prompted to enter user accounts that are to be run via suEXEC. These user accounts are granted the APACHE$SUEXEC_USER rights identifier.
    • An suEXEC directory is created within the htdoc root (APACHE$COMMON:[HTDOCS.SUEXEC]) and set with the appropriate default ACEs that allow the Apache server read access to the suEXEC CGI/SSI programs.

    After you have enabled suEXEC, manually perform the following steps:

     

  2. For each user account to be run via suEXEC, create a directory owned by that user under the suEXEC directory. For example, if you create a directory named "user", it will be located in APACHE$COMMON:[HTDOCS.SUEXEC.user].

    NOTE: This is specifically the APACHE$COMMON:[HTDOCS.SUEXEC] directory do not create the user directory in APACHE$ROOT:[HTDOCS.SUEXEC].

     

    Example DCL/CGI:

    $ create apache$common:[htdocs.suexec.retterer]message.com

     

    $!*********** message.com *******************************
    $!* Created by Rick Retterer - HP Support 2005.
    $!* Demonstrates the use of suEXEC in SWS for OpenVMS
    $!*******************************************************
    $ set noon
    $!
    $ write sys$output f$fao("!AS!/!/", "Content-type: text/plain")
    $ write sys$output f$fao("!AS!/", -
    "CGI test script (mess.com) report:")
    $ show process/priv
    $ show system/net
    $ write sys$output f$fao("!AS!/", " ")
    $ write sys$output f$fao("!AS!/", "Current user: ")
    $ show system/process='f$getjpi("","PRCNAM")'
    $ show time
    $ exit
    <CTRL+Z>

     

  3. Within each virtual host configuration, in the httpd.conf file use the Alias or ScriptAlias directive to define a location for the suEXEC CGI/SSI programs to be used.

    Example:

    <VirtualHost _default_:*>
    User retterer
    Group "#320"
    ScriptAlias /retterer/ "/apache$common/htdocs/suexec/retterer/"
    </VirtualHost>

     
    NOTE: To obtain the "Group" id, follow these steps to obtain it and convert it from octal to decimal

     

    $ SET DEFAULT SYS$SYSTEM
    $ MCR AUTHORIZE SHOW RETTERER/Brief

    Owner Username UIC Account Privs Pri Directory

    RICK RETTERER RETTERER [500,501] UXWIL All 4 SYS$SYSDEVICE:[RETTERER]

    $ x=%o500 ! 500 is the Retterer account group id in octal.
    $ show sym x
    X = 320 Hex = 00000140 Octal = 00000000500

    In the example above, the Group number is 320.

     

  4. Save your changes to the httpd.conf file and Start the Secure Web Server.

    $ @sys$startup:apache$startup

     

  5. Access the CGI file that you have created in the apache$common:[htdocs.suexec.user] sub-directory using your Secure Web Browser.

    URL> http://visual.alf.cpqcorp.net/user/message.com

    *** Output looks similar to this ****

    CGI test script (message.com) report:

    7-APR-2005 16:36:36.31 User: RETTERER Process ID: 0000028B
    Node: VISUAL Process name: "RETTERER_37"

    Authorized privileges:
    NETMBX TMPMBX

    Process privileges:
    NETMBX may create network device
    TMPMBX may create temporary mailbox

    Process rights:
    RETTERER
    APACHE$SUEXEC_USER

    System rights:
    SYS$NODE_VISUA

    Soft CPU Affinity: off
    OpenVMS V8.2 on node VISUAL 7-APR-2005 16:36:36.33 Uptime 0 02:40:15
    Pid Process Name State Pri I/O CPU Page flts Pages
    00000214 TCPIP$FTP_1 LEF 10 189 0 00:00:00.14 847 292 N
    00000216 TCPIP$XDM_1 LEF 10 205 0 00:00:00.13 599 228 N

     

    Current user:

    OpenVMS V8.2 on node VISUAL 7-APR-2005 16:36:36.34 Uptime 0 02:40:15
    Pid Process Name State Pri I/O CPU Page flts Pages
    00000289 RETTERER_10 HIB 1 402 0 00:00:00.15 493 477 S
    0000028B RETTERER_37 CUR 4 162 0 00:00:00.09 494 180 S
    7-APR-2005 16:36:36

     

  6. To disable suEXEC, run SYS$MANAGER:APACHE$CONFIG.COM and answer "No" to the question about enabling the suEXEC feature.

    When you disable suEXEC, the following occur:

    • The suEXECACEs are removed from all files within the Apache root.
    • The APACHE$SUEXEC_SRVR rights identifier is revoked from the server account (APACHE$WWW) and the user is prompted about whether to disable all suEXECservers.
    • The user is prompted about whether to disable all suEXECusers.
    • If no server accounts remain enabled, the APACHE$SUEXEC_SRVR rights identifier is removed from the rights database.
    • If no user accounts remain enabled, the APACHE$SUEXEC_USER rights identifier is removed from the rights database

Reference

HP's Secure Web Server for OpenVMS Installation/Configuration Guide

 

Rick

Rick Retterer HP Services OpenVMS Support
Jack Trachtman
Super Advisor

Re: SWS/Apache Config Problem

Rick,

 

Thanks for the added info.  I'm not very familiar with Apache config.  I copied your VirtualHost segment to the end of my httpd.conf, changing values where appropriate, but am getting this error on Apache startup:

 

User cannot occur within <VirtualHost> section

 

I read the VirtualHost info on the apache.org web site, but am still confused.

 

Any suggestions?  Thanks

Hoff
Honored Contributor

Re: SWS/Apache Config Problem

1: could you elaborate on what you are confused about — open-ended questions tend to require full documentation sets to answer.  Explaining your confusion can sometimes also possibly help you understand some of the details, and it'll definitely help us narrow down the scope of answers around the Apache configuration files.

 

2: please post your (errant) configuration file, possibly obfuscating domains (consistently!) to example.org, example.net or example.com as necessary, or otherwise masking any sensitive information.

 

The doc that Rick is citing looks odd and it's not something I see referenced in the OpenVMS Apache docs.   (Having to convert octal to decimal was a nice touch, too, but I digress.)

 

Here's what's posted for suEXEC support with 

 

http://h71000.www7.hp.com/openvms/products/ips/apache/csws_iguide_22.pdf

http://h71000.www7.hp.com/openvms/products/ips/apache/csws_iguide_211.html

 

and the @SYS$MANAGER:APACHE$CONFIG tool.

 

Watch out for this bug, too:

 

If suEXEC is enabled in the initial configuration, SWS cannot add a node in a cluster environment If you enable suEXEC during the initial configuration of SWS or by using Option 4 (Manage suEXEC users) from the SWS Configuration Menu, then Option 10 of the SWS configuration menu (Add a node to CSWS in a cluster environment) fails. As a temporary workaround, use Option 4 to disable suEXEC and use Option 10 to add the node, and then use Option 4 to re-enable suEXEC.

Jack Trachtman
Super Advisor

Re: SWS/Apache Config Problem

Hoff,

 

Looks to me as if Rick took HP's Apache install doc and added some additional notes, which I then tried to use.

 

My httpd.conf file is the orignal file, with the VirtualHost container that Rick mentioned added to the end.  I have a feeling that simply adding this container is not enough, which is where I'm confused.

 

Here's the end of my httpd.conf file and the error msg I get:

 

...

#
#Include /apache$root/conf/ssl.conf
Include /apache$common/conf/mod_perl.conf
Include /apache$root/conf/mod_php.conf
#
#
<VirtualHost _default_:*>
User myusername
Group "#8"
ScriptAlias /myusernamet/ "/apache$common/htdocs/suexec/myusername/"
</VirtualHost>

 

$ @SYS$STARTUP:APACHE$STARTUP.COM   RESTART
Syntax error on line 1012 of /apache$common/conf/httpd.conf:
User cannot occur within <VirtualHost> section

Rick_Retterer
Visitor

Re: SWS/Apache Config Problem

Gents,

   I used that configuration to setup SWS/Apache for another customer and it worked out very well for him.  However, I haven't tested it with the latest version of SWS/Apache.  Give me a couple of days to work with it and iron out the kinks.  There shouldn't be any reason why you can't use SuExec within a virtual server.  But, I'll have to go back over everything again.  I'll try to have something over the weekend.  I'll be testing this on a 2.2 ECO2 version of SWS, on an I64 RX2620 with OpenVMS 8.4.

 

I'm sorry that my document confused you that was not my intent.

 

I'll post my results here when I have it worked out.

 


Cheers,

Rick R.

 

Rick Retterer HP Services OpenVMS Support
Hoff
Honored Contributor

Re: SWS/Apache Config Problem

The suEXEC setup in the previously-linked doc is quite different than the configuration-based approach that's been posted here.

I haven't looked to see what's happening underneath that approach; how or if that's modifying the configuration file.

If the procedure-based suEXEC setup approach is blowing up, then there's a bug here, and fodder for an escalation.

Pending resolution, I'd then fall back to DCL DECnet task-to-task, or equivalent.

 

Ugh.  "Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied."  Really?  Other than that there is no HTML in this post?

Rick Retterer
Respected Contributor

Re: SWS/Apache Config Problem

Gents,

    Sorry it has taken me so long to get back to this, but I do have it working again on 2.2 ECO2 of CSWS for OpenVMS I64 and Alpha.

 

There were changes made in 2.2 to what can be used in the <Virtualhost>  container.  The first part of what I posted before remains the same.  I'll include it here for completeness:

 

The following sections discuss the implementation of suEXEC in the Secure Web Server and provides a simple example.

 

suEXEC Security Model

 

suEXEC in the Secure Web Server uses rights identifiers to indicate authorized users to run suEXEC as well as users to be run via suEXEC.

 

The Secure Web Server does not use UID/GID minimums to determine the validity of the calling user. Use of the SETUID/SETGID restrictions on the invoked CGI or SSI program is currently not implemented.

 

suEXEC in the Secure Web Server supports the use of the User and UserDir directives within virtual hosts, and also supports the EXEC CGI mod_include directive.

 

There are no restrictions on OpenVMS account privileges or MAXSYSGROUP for suEXEC programs.

 

Configuring suEXEC

 

You can configure suEXEC using the configuration utility provided with the installation

(SYS$MANAGER:APACHE$CONFIG.COM). This utility allows you to enable or disable the suEXEC feature for a given server.

 
NOTE: Before you enable suEXEC, be sure that the user accounts that are to be run via suEXEC have been created.
 
  1. To enable suEXEC, run SYS$MANAGER:APACHE$CONFIG.COM and answer Yes to the question about enabling the suEXEC feature.

     

    The suEXEC image is installed with privileges.

    When you enable suEXEC, the following occur:

     

    • The APACHE$SUEXEC_SRVR and APACHE$SUEXEC_USER rights identifiers are created in the rights database, if they do not already exist.
    • The APACHE$SUEXEC_SRVR rights identifier is granted to the server account, and the user is prompted to enter user accounts that are to be run via suEXEC. These user accounts are granted the APACHE$SUEXEC_USER rights identifier.
    • An suEXEC directory is created within the htdoc root (APACHE$COMMON:[HTDOCS.SUEXEC]) and set with the appropriate default ACEs that allow the Apache server read access to the suEXEC CGI/SSI programs.

    After you have enabled suEXEC, manually perform the following steps:

     

  2. For each user account to be run via suEXEC, create a directory owned by that user under the suEXEC directory. For example, if you create a directory named "user", it will be located in APACHE$COMMON:[HTDOCS.SUEXEC.user].

    NOTE: This is specifically the APACHE$COMMON:[HTDOCS.SUEXEC] directory do not create the user directory in APACHE$ROOT:[HTDOCS.SUEXEC].

     

    Example DCL/CGI:

    $ create apache$common:[htdocs.suexec.retterer]message.com

     

    $!*********** message.com *******************************
    $!* Created by Rick Retterer - HP Support 2005.
    $!* Demonstrates the use of suEXEC in SWS for OpenVMS
    $!*******************************************************
    $ set noon
    $!
    $ write sys$output f$fao("!AS!/!/", "Content-type: text/plain")
    $ write sys$output f$fao("!AS!/", -
    "CGI test script (mess.com) report:")
    $ show process/priv
    $ show system/net
    $ write sys$output f$fao("!AS!/", " ")
    $ write sys$output f$fao("!AS!/", "Current user: ")
    $ show system/process='f$getjpi("","PRCNAM")'
    $ show time
    $ exit
    <CTRL+Z>

     

  3. Within each virtual host configuration, in the httpd.conf file use the Alias or ScriptAlias directive to define a location for the suEXEC CGI/SSI programs to be used.

     

    For CSWS v2.2 ECO2 here is the syntax to be used:

     

    <Virtualhost>

    ...

    ..

    .

    #User retterer    <<<--- Comment out or remove in CSWS 2.2 ECO2 Servers

    # Group "#320"  <<<--- Comment out or remove in CSWS 2.2 ECO2 Servers

     SuexecUserGroup retterer "#320"
     ScriptAlias /retterer/ "/apache$common/htdocs/suexec/retterer/"
    ...

    ..

    .

    </Virtualhost>

     

    The User and Group Directives have been obsoleted in the Apache 2.0 server.

    (Leave out the User and Group directives, all that is needed is the SuexecUserGroup <username> "<group#>")

     

    NOTE: To obtain the "Group" id, follow these steps to obtain it and convert it from octal to decimal

     

    $ SET DEFAULT SYS$SYSTEM
    $ MCR AUTHORIZE SHOW RETTERER/Brief

     

    Owner Username UIC Account Privs Pri Directory

    RICK RETTERER RETTERER [500,501] UXWIL All 4 SYS$SYSDEVICE:[RETTERER]

     

    $ x=%o500        ! 500 is the Retterer account group id in octal.
    $ show sym x
    X = 320 Hex = 00000140 Octal = 00000000500

    In the example above, the Group number is 320.

     

    5. BEFORE you save your changes, check to ensure that you have un-commented the "mod_suexec" line in the

    modules section of your httpd.conf file.

     

    Example:

    LoadModule setenvif_module      modules/mod_setenvif.exe
    #LoadModule suexec_module        modules/mod_suexec.exe  <<<-----  Un-Comment this line here.
    LoadModule auth_openvms_module  modules/mod_auth_openvms.exe

    Remove the comment-delimiter (#) from in front of the line that is used to load the suexec module.

     

    Then save your file and exit your editor.

     

    6. You are now ready to stop/restart the Apache Server software.

    $ @sys$startup:apache$shutdown.com

    {wait a few seconds for the server to shutdown and write out the log files}

    $ @sys$startup:apache$startup.com

     

    The CSWS Server will restart cleanly and without any errors.

     

    The rest of the document that I posted before, should be exactly the same from this point forward.

     

    To test that you Suexec module is working properly using the URL:

     

    http://ip.address.of.system/retterer/message.com

     

    EXAMPLE:

     

    http://192.168.1.101/retterer/message.com

     

    CGI test script (message.com) report:
    
    
     2-JUN-2014 12:15:51.79   User: RETTERER         Process ID:   0000047A
                              Node: VISUAL           Process name: "RETTERER_10537"
     
    Authorized privileges:
     NETMBX       TMPMBX
     
    Process privileges:
     NETMBX               may create network device
     TMPMBX               may create temporary mailbox
     
    Process rights:
     RETTERER                          
     SMH$ADMIN                         
     APACHE$SUEXEC_USER                
     APACHE$EXECUTE                    
     
    System rights:
     SYS$NODE_VISUAL                   
    OpenVMS V8.4  on node VISUAL    2-JUN-2014 12:15:51.80   Uptime  0 01:29:34
      Pid    Process Name    State  Pri      I/O       CPU       Page flts  Pages
    0000041F EVL             HIB      6       72   0 00:00:00.03       126    148  N
    00000428 TCPIP$FTP_1     LEF     10      744   0 00:00:00.19      3106    696  N
    0000042B TCPIP$METRIC_1  LEF     10      137   0 00:00:00.04       272    236  N
    00000430 TCPIP$SNMP_1    LEF      9     5749   0 00:00:00.24       534    401  N
    00000433 TCPIP$XDM_1     LEF     10      241   0 00:00:00.05       423    375  N
    0000043A TCPIP$SSH_BG166 LEF     10    55392   0 00:00:04.76       776    779  N
                  
    
    Current user: 
    
    OpenVMS V8.4  on node VISUAL    2-JUN-2014 12:15:51.81   Uptime  0 01:29:34
      Pid    Process Name    State  Pri      I/O       CPU       Page flts  Pages
    0000047A RETTERER_10537  CUR   0  4      217   0 00:00:00.05       427    175  S
       2-JUN-2014 12:15:51

     

    As you can see, Instead of using APACHE$WWW the MESSAGE.COM file, is executing under my USER ACCOUNT.

     

    I will update my articles on this subject to reflect the new changes for CSWS v2.2 ECO2

     

    Further information on SUEXEC can be found in the CSWS v2.2 Documentation that is included with the CSWS software.

     

    Let me know if you have any additional Questions.

     

    Cheers,

    Rick R.

     

- Rick Retterer



Jack Trachtman
Super Advisor

Re: SWS/Apache Config Problem

Rick, thanks for the update.

 

Still not working for me.  Getting a "The requested URL /username/message.com was not found on this server" err.

 

Steps:

 

- Uncommented "#LoadModule suexec_module        modules/mod_suexec.exe"

 

- testing with a username with UIC [10,n]

 

- created dir as directed

 

- added the following to the end of the vanilla httpd.conf file:

 

<VirtualHost>
SuexecUserGroup username "#8"
ScriptAlias /username/ "/apache$common/htdocs/suexec/username/"
</VirtualHost>

 

No displayed errors on Apache startup.  No errors in Apache log files.

 

Seems like I'm missing something obvious.