Обсуждение: apache permission denied
Using RHEL 5, with Postgresql 8.1, Apache, mod_perl, mod_auth_pgsql,
DBI, DBD::Pg
Perl cgi scripts that access the database get the following in httpd
error_log:
DBI connect('dbname=db','',...) failed: could not connect to server:
Permission denied
A direct test with a simple SQL command in the file, "command"
# sudo -u apache psql db < command
psql: FATAL: role "apache" is not permitted to log in
At the psql command line, \z shows
apache=arwdRxt
for all tables
And httpd.conf definitely has
User apache
Group apache
I have restarted httpd and postmaster and the machine. These scripts
work with postgresql 7x, but the grant syntax is different in 8x, so I
wonder if the problem is how to grant apache privileges, or some extra
step I'm missing.
Am Donnerstag, 10. Juli 2008 schrieb Chris Cosner:
> Using RHEL 5, with Postgresql 8.1, Apache, mod_perl, mod_auth_pgsql,
> DBI, DBD::Pg
>
> Perl cgi scripts that access the database get the following in httpd
> error_log:
> DBI connect('dbname=db','',...) failed: could not connect to server:
> Permission denied
An strace of the program would probably give definite insight, but "Permission
denied" sounds to me like a file system error message. Possibly, you don't
have proper permissions (at least u+x) on the socket file (in (/tmp). But
you would have to have done serious "customization" to get to that state.
Mayb you have some fancy security configured around your Apache instance?
> A direct test with a simple SQL command in the file, "command"
> # sudo -u apache psql db < command
> psql: FATAL: role "apache" is not permitted to log in
That is a different issue, which the DBI route above would likely also
complain about if it managed to get by the Permission denied stage.
> At the psql command line, \z shows
> apache=arwdRxt
> for all tables
That is yet another different issue :) which will only matter once the apache
role manages to log in and try to read a table.
> And httpd.conf definitely has
> User apache
> Group apache
>
> I have restarted httpd and postmaster and the machine. These scripts
> work with postgresql 7x, but the grant syntax is different in 8x, so I
> wonder if the problem is how to grant apache privileges, or some extra
> step I'm missing.
Note that "postgresql 7x" and "8x" are about as useful classifications
as "Linux 1" and "Linux 2". Please be more precise. Yes, somewhere along
the line the syntax did change, but if that were the problem, you would get
an error message about it.
Peter Eisentraut wrote:
> Am Donnerstag, 10. Juli 2008 schrieb Chris Cosner:
>> Using RHEL 5, with Postgresql 8.1, Apache, mod_perl, mod_auth_pgsql,
>> DBI, DBD::Pg
>>
>> Perl cgi scripts that access the database get the following in httpd
>> error_log:
>> DBI connect('dbname=db','',...) failed: could not connect to server:
>> Permission denied
>
> An strace of the program would probably give definite insight, but "Permission
> denied" sounds to me like a file system error message. Possibly, you don't
> have proper permissions (at least u+x) on the socket file (in (/tmp). But
> you would have to have done serious "customization" to get to that state.
> Mayb you have some fancy security configured around your Apache instance?
>
Thanks--SELinux was in fact enabled, and when I set it to permissive
(i.e., audit only), httpd error_log now gives a login error:
DBI connect('dbname=db','',...) failed: FATAL: role "apache" is not
permitted to log in at /home/www/cgi-bin/db.lib line 1635
The postgresql version is 8.1.11
On Thu, 2008-07-10 at 11:49 -0700, Chris Cosner wrote:
> DBI connect('dbname=db','',...) failed: FATAL: role "apache" is not
> permitted to log in at /home/www/cgi-bin/db.lib line 1635
What about:
ALTER ROLE apache LOGIN;
-HTH.
--
Devrim GÜNDÜZ
devrim~gunduz.org, devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr
http://www.gunduz.org
Вложения
ALTER ROLE apache LOGIN
It now works! Thank you Devrim and Peter for your help.
Devrim GÜNDÜZ wrote:
> On Thu, 2008-07-10 at 11:49 -0700, Chris Cosner wrote:
>> DBI connect('dbname=db','',...) failed: FATAL: role "apache" is not
>> permitted to log in at /home/www/cgi-bin/db.lib line 1635
>
> What about:
>
> ALTER ROLE apache LOGIN;
>
> -HTH.