Обсуждение: apache permission denied
Using RHEL 5, with Postgresql 8.1, Apache, mod_perl, mod_auth_pgsql, DBI, DBD::Pg Perl cgi scripts that access the database get the following in httpd error_log: DBI connect('dbname=db','',...) failed: could not connect to server: Permission denied A direct test with a simple SQL command in the file, "command" # sudo -u apache psql db < command psql: FATAL: role "apache" is not permitted to log in At the psql command line, \z shows apache=arwdRxt for all tables And httpd.conf definitely has User apache Group apache I have restarted httpd and postmaster and the machine. These scripts work with postgresql 7x, but the grant syntax is different in 8x, so I wonder if the problem is how to grant apache privileges, or some extra step I'm missing.
Am Donnerstag, 10. Juli 2008 schrieb Chris Cosner: > Using RHEL 5, with Postgresql 8.1, Apache, mod_perl, mod_auth_pgsql, > DBI, DBD::Pg > > Perl cgi scripts that access the database get the following in httpd > error_log: > DBI connect('dbname=db','',...) failed: could not connect to server: > Permission denied An strace of the program would probably give definite insight, but "Permission denied" sounds to me like a file system error message. Possibly, you don't have proper permissions (at least u+x) on the socket file (in (/tmp). But you would have to have done serious "customization" to get to that state. Mayb you have some fancy security configured around your Apache instance? > A direct test with a simple SQL command in the file, "command" > # sudo -u apache psql db < command > psql: FATAL: role "apache" is not permitted to log in That is a different issue, which the DBI route above would likely also complain about if it managed to get by the Permission denied stage. > At the psql command line, \z shows > apache=arwdRxt > for all tables That is yet another different issue :) which will only matter once the apache role manages to log in and try to read a table. > And httpd.conf definitely has > User apache > Group apache > > I have restarted httpd and postmaster and the machine. These scripts > work with postgresql 7x, but the grant syntax is different in 8x, so I > wonder if the problem is how to grant apache privileges, or some extra > step I'm missing. Note that "postgresql 7x" and "8x" are about as useful classifications as "Linux 1" and "Linux 2". Please be more precise. Yes, somewhere along the line the syntax did change, but if that were the problem, you would get an error message about it.
Peter Eisentraut wrote: > Am Donnerstag, 10. Juli 2008 schrieb Chris Cosner: >> Using RHEL 5, with Postgresql 8.1, Apache, mod_perl, mod_auth_pgsql, >> DBI, DBD::Pg >> >> Perl cgi scripts that access the database get the following in httpd >> error_log: >> DBI connect('dbname=db','',...) failed: could not connect to server: >> Permission denied > > An strace of the program would probably give definite insight, but "Permission > denied" sounds to me like a file system error message. Possibly, you don't > have proper permissions (at least u+x) on the socket file (in (/tmp). But > you would have to have done serious "customization" to get to that state. > Mayb you have some fancy security configured around your Apache instance? > Thanks--SELinux was in fact enabled, and when I set it to permissive (i.e., audit only), httpd error_log now gives a login error: DBI connect('dbname=db','',...) failed: FATAL: role "apache" is not permitted to log in at /home/www/cgi-bin/db.lib line 1635 The postgresql version is 8.1.11
On Thu, 2008-07-10 at 11:49 -0700, Chris Cosner wrote: > DBI connect('dbname=db','',...) failed: FATAL: role "apache" is not > permitted to log in at /home/www/cgi-bin/db.lib line 1635 What about: ALTER ROLE apache LOGIN; -HTH. -- Devrim GÜNDÜZ devrim~gunduz.org, devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr http://www.gunduz.org
Вложения
ALTER ROLE apache LOGIN It now works! Thank you Devrim and Peter for your help. Devrim GÜNDÜZ wrote: > On Thu, 2008-07-10 at 11:49 -0700, Chris Cosner wrote: >> DBI connect('dbname=db','',...) failed: FATAL: role "apache" is not >> permitted to log in at /home/www/cgi-bin/db.lib line 1635 > > What about: > > ALTER ROLE apache LOGIN; > > -HTH.