Fossil User Forum

Apache CGI error "read permission denied for repository"
Login

Apache CGI error "read permission denied for repository"

Chronological

Apache CGI error "read permission denied for repository"

(1) By Kevin (kevgrig) on 2021-06-25 01:08:41 [link] [source]

Hi, I'm following the Cookbook recipe on configuring Apache CGI at the root of a website but I receive an HTTP 500 and the following error in the httpd log:

[Fri Jun 25 00:51:56.149459 2021] [cgid:error] [pid 3519:tid 3729] [client 69.110.60.183:44170] read permission denied for repository /var/lib/fossil/example.fossil: /var/www/cgi-bin/fossil.cgi

The CGI file is:

$ ls -l /var/www/cgi-bin/fossil.cgi
-rwxr-xr-x. 1 apache apache 72 Jun 25 00:43 /var/www/cgi-bin/fossil.cgi
$ cat /var/www/cgi-bin/fossil.cgi 
#!/usr/bin/fossil
repository: /var/lib/fossil/example.fossil

The fossil repository is:

$ ls -l /var/lib/fossil/example.fossil 
-rwxrwxrwx. 1 apache apache 229376 Jun 24 23:43 /var/lib/fossil/example.fossil
$ file /var/lib/fossil/example.fossil
/var/lib/fossil/example.fossil: SQLite 3.x database (Fossil repository), last written using SQLite version 3034001

The parent directories of both have execute permission:

$ ls -ld /var
drwxr-xr-x. 20 root root 4096 Jun 24 23:39 /var
$ ls -ld /var/www
drwxr-xr-x. 4 root root 4096 Jun 24 23:39 /var/www
$ ls -ld /var/www/cgi-bin/
drwxr-xr-x. 2 root root 4096 Jun 25 00:43 /var/www/cgi-bin/
$ ls -ld /var/lib/
drwxr-xr-x. 26 root root 4096 Jun 24 23:58 /var/lib/
$ ls -ld /var/lib/fossil/
drwxr-xr-x. 2 root root 4096 Jun 24 23:43 /var/lib/fossil/

I tried to strace the httpd process but it uses Unix sockets to spawn the CGI program and I don't know how to strace that:

3729  00:51:56.114676 openat(AT_FDCWD, "/var/www/cgi-bin/fossil.cgi", O_RDONLY|O_CLOEXEC) = 26
3729  00:51:56.114716 read(26, "#!/usr/bin/fossil\nrepository: /v"..., 4096) = 72
3729  00:51:56.114848 close(26)         = 0
3729  00:51:56.114899 socket(AF_UNIX, SOCK_STREAM, 0) = 26
3729  00:51:56.114952 connect(26, {sa_family=AF_UNIX, sun_path="/etc/httpd/run/cgisock.3515"}, 29) = 0
3729  00:51:56.115268 sendmsg(26, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\1\0\0\0\0\0\0\0\230\0\0\0\0\0\0\0\273\r\0\0=\0\0\0\377\377\377\377\377\377\377\377"..., iov_len=152}, {iov_base="/var/www/cgi-bin/fossil.cgi", iov_len
=27}, {iov_base="/var/www/cgi-bin/fossil.cgi", iov_len=27}, {iov_base="/", iov_len=1}], msg_iovlen=4, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[25]}], msg_controllen=24, msg_flags=0}, 0) = 207

Apache configuration uses:

<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
</Directory>

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/tmp/.*$
RewriteCond %{REQUEST_URI} !^/cgi-bin/.*$
RewriteRule ^(.*)$ /var/www/cgi-bin/fossil.cgi/$1 [T=application/x-httpd-cgi]

I restarted Apache. This is on a fresh Fedora 34 x64 on Digital Ocean.

I added cgi-debug: /tmp/fossil.log to the CGI program but /tmp/fossil.log was not produced after refreshing.

The shebang of the CGI script points to the following which seems to be fine:

$ /usr/bin/fossil version
This is fossil version 2.14 [487776dc45] 2021-01-20 15:34:40 UTC

Any ideas?

(2) By Kevin (kevgrig) on 2021-06-25 01:42:18 in reply to 1 [link] [source]

By stracing all httpd processes, I can see the error now:

6059  01:35:09.390932 access("/var/lib/fossil/example.fossil", R_OK <unfinished ...>
6059  01:35:09.391769 <... access resumed>) = -1 EACCES (Permission denied)
6059  01:35:09.391858 access("/var/lib/fossil/example.fossil", F_OK <unfinished ...>
6059  01:35:09.391956 <... access resumed>) = 0
6059  01:35:09.392048 access("/var/lib/fossil/example.fossil", R_OK <unfinished ...>
6059  01:35:09.392614 <... access resumed>) = -1 EACCES (Permission denied)
6059  01:35:09.392720 write(2, "read permission denied for repos"..., 80 <unfinished ...>

I don't understand why though as the file has read permission for all and the directories have execute permissions for all.

(3) By Kevin (kevgrig) on 2021-06-25 01:48:35 in reply to 2 [link] [source]

journalctl showed the error:

Jun 25 01:35:09 audit[6059]: AVC avc:  denied  { read } for  pid=6059 comm="fossil.cgi" name="example.fossil" dev="vda1" ino=263570 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0

This was caused by SELinux.

(4) By Stephan Beal (stephan) on 2021-06-25 02:38:55 in reply to 2 [link] [source]

I don't understand why though as the file has read permission for all and the directories have execute permissions for all.

You need not only write permission to the repo but also its directory - sqlite needs that for its journal. AFAIK, fossil is currently unable to work properly with read-only repos, in particular for non-anonymous access so that it can record/update the user's login cookie.

(5) By Kevin (kevgrig) on 2021-06-25 05:12:10 in reply to 4 [link] [source]

Hey Stephan, Thanks, yes, I ran into that issue after I fixed the SELinux error and I had to give write access to the directory.

(6) By anonymous on 2021-06-25 07:30:36 in reply to 4 [source] 

That suggests that the content on https://fossil-scm.org/home/wiki?name=Cookbook#CGI

should probably add something like

6. Ensure that the repository directory is writable to the CGI user account

after

4. Ensure that every directory in the path leading to the repository is browseable (chmod +x) to the CGI user account.
5. Ensure that the repository file is readable and writable to the CGI user account.

and the example shell script should include something like

  chgrp $CGI_GROUP .
  chmod g+w .

within the then...else but outside the for...done

With perhaps a note about "if you are using another access control system, such as AppArmor or SELinux, you will want to make sure that the CGI user account is allowed to read and write the necessary files".

If someone already has write-permission to the wiki, feel free to polish-and-paste that in.

Cheers,

(7) By Stephan Beal (stephan) on 2021-06-25 07:37:58 in reply to 6 [link] [source]

That suggests that the content on https://fossil-scm.org/home/wiki?name=Cookbook#CGI ...

That particular page is not maintained - its last edit was 8.5 years ago. However, the relevant documentation already mentions your first suggestion:

src:/doc/trunk/www/server/any/cgi.md

and i will get your suggestion about AppArmor/SELinux integrated in a moment.

(8) By John Rouillard (rouilj) on 2021-06-25 13:57:42 in reply to 7 [link] [source]

Probably worth updating the cookbook page to remove obsolete info and refer to documentation.

(9) By Stephan Beal (stephan) on 2021-06-25 15:59:59 in reply to 8 [link] [source]

Probably worth updating the cookbook page to remove obsolete info and refer to documentation.

i put a warning at the top with a link to the main doc index and added a link in the CGI section to the CGI doc. If someone wants to go fish out a current /doc link for every section in the cookbook, they're welcome to do so :).