Fossil Forum

Database error: attempt to write a readonly database:
Login

Database error: attempt to write a readonly database:

Chronological

Database error: attempt to write a readonly database:

(1) By anonymous on 2023-11-29 08:33:14 [link] [source]

I am learning fossil and it works fine on my local machine. But when I deploy my foobar depository to my virtual machine centos7 using apache and cgi following the instructions from the fossil book. it works, Except that when I try to login on the home page, the error shows "Database error: attempt to write a readonly database: {REPLACE INTO config(name,value) VALUES('captcha-secret', lower(hex(randomblob(20))));}".

The structure is as follows:

/fossil/
/fossil/dev/
/fossil/dev/null
/fossil/dev/urandom
/fossil/fossil
/fossil/repo/
/fossil/repo/foo.fossil

# and the structure of cgi
/var/www/cgi-bin/foo.cgi

To make it work first, i just chmod -R 777.
as:
crwxrwxrwx. 1 apache apache 1, 3 Nov 27 22:12 null
crwxrwxrwx. 1 apache apache 1, 9 Nov 27 22:13 urandom
-rwxrwxrwx. 1 apache apache 487424 Nov 27 21:39 poem1.fossil
-rwxrwxrwx. 1 apache apache 55 Nov 27 21:48 var/www/cgi-bin/poem1.cgi

What does the error message mean exactly? What could be wrong? or I miss something? Please give me some advice to solve this problem.

(2) By Richard Hipp (drh) on 2023-11-29 10:42:38 in reply to 1 [source]

Is the directory that contains the Fossil repository writable by the CGI process? It needs to be in order for SQLite to generate a rollback journal for transaction control. If the directory containing the Fossil repository is not writable by the process, then the repository is read-only.

(3) By anonymous on 2023-11-29 17:16:47 in reply to 2 [link] [source]

Thanks for the help. I realized that the problem could be the apache config. I modified the apache config as follows:


<Directory "/var/www/cgi-bin">
    Options +ExecCGI
    AddHandler cgi-script .cgi
    Require all granted
</Directory>

and

chown -R apache:apache /fossil/

But the same error message still shows up.

Could you please give me some more advice?

(4) By Warren Young (wyoung) on 2023-11-29 19:38:50 in reply to 3 [link] [source]

Show your poem.cgi contents.

Show what "ls -ld /fossil" prints.

(7) By anonymous on 2023-11-30 04:04:23 in reply to 4 [link] [source] 

ls -ld /fossil
drwxrwxrwx. 6 apache apache 75 Nov 27 22:03 /fossil

ls -ld /fossil/repo
drwxrwxrwx. 2 apache apache 46 Nov 27 21:39 /fossil/repo

ls -ld poem1.fossil
-rwxrwxrwx. 1 apache apache 487424 Nov 27 21:39 poem1.fossil

the cgi script:
#!/fossil/fossil
repository: /fossil/repo/poem1.fossil

(5) By John Rouillard (rouilj) on 2023-11-29 20:09:46 in reply to 3 [link] [source]

chown -R apache:apache /fossil/

You almost certainly don't want this.

Nothing under your /fossil/ chroot should be owned or writable to apache with the exception of /fossil/repo and /fossil/repo/*.fossil. /fossil/repo should probably be owned by apache (and group apache) mode 775 and the fossil repo should be the same owner/group (apache.apache) mode 664. (This assumes that your web server is running as the apache user and not a user like www-data.)

Also /fossil/dev/null should be read/write (but not executable) to all but owned by root. This is probably how /dev/null is owned/permissioned. Similarly, you want to change /fossil/dev/urandom to match the owner/group/permissions from /dev/urandom.

This prevents the user apache from trivially changing any of the files/directories that can be used to break out of the chroot environment.

It has been a long time since I last configured apache for CGI use. However, the error message you are getting comes from fossil. If you had incorrectly configured the CGI, you would see the script in the browser (it wouldn't be executed). There is IIRC an option to run the CGI as a different user than the web server.

It's possible that's what you are running into if you have properly set up the permissions on /fossil/repo (as recommended drh) by and /fossil/repo/*.fossil. However, you haven't (AFAICT) shown what the owner/permission is on these two items. E.G. mode 555 on /fossil/repo would show the behavior you are reporting.

(6.2) By Warren Young (wyoung) on 2023-11-29 21:04:37 edited from 6.1 in reply to 5 [link] [source]

While all this is true, I expect this is going to come down to an SELinux restriction. RHEL 7 tightened things down a lot, requiring that you follow LHS standards to fit into its view of The Way Things Ought to Be.™

This question on ServerFault isn't formally answered, but I'd give that tip about putting the repo under /srv/www/fossil or similar a try. It is very much the sort of thing RHEL systems care about these days.

Ask me how I know. :)

(10) By Andy Bradford (andybradford) on 2023-11-30 05:46:09 in reply to 3 [link] [source] 

> I realized that the problem could be the apache config.

What user does your httpd run as?

Andy

(11) By Warren Young (wyoung) on 2023-11-30 10:32:30 in reply to 10 [link] [source]

CentOS 7 runs it as "apache", so what we've seen so far is sensible.

I'm still reasonably certain this is an SELinux issue. I don't blame those who have not worked on recent RHEL systems for not believing it can be this picky, but yes, it can.

(12.1) By John Rouillard (rouilj) on 2023-11-30 18:21:17 edited from 12.0 in reply to 11 [link] [source]

Yup. Given the permissions reported, SELinux is looking more likely. sestatus or getenforce probably report enforcing.

For testing only: running sudo setenforce 0 and verify that getenforce reports permissive. Then restart the fossil daemon (without rebooting the system) to see if it works.

If it does, then you need to look into audit2allow and other docs on creating a custom policy. Changing the SELinux labels on the files you have deployed is another way to do it.

Warning building a custom policy can cause hair loss 8-). There is a reason I prefer apparmour to SELinux 8-).

(13) By Warren Young (wyoung) on 2023-11-30 18:25:41 in reply to 12.1 [link] [source]

you need to look into audit2allow

Or just move the service to a directory that allows CGI execution per the above-linked advice. No need to fight the model for anticpated cases.

(14) By anonymous on 2023-12-01 00:49:47 in reply to 12.1 [link] [source]

Many thanks. I will try it on Ubuntu 20.4 then report.

(15) By anonymous on 2023-12-01 10:51:34 in reply to 14 [link] [source]

When I try it on virtual Ubuntu 20.4, everything is fine.

I saw this message: "Ubuntu does not allow access through the web browser to any file apart of those located in /var/www" when I install apache. so I put fossil repo/ under /var/www/. It could be the same thing on Centos7, as it seems to me a policy of apache. But I havn't tried it.

Thanks for all your helps.

(8.1) By Andy Bradford (andybradford) on 2023-11-30 05:20:18 edited from 8.0 in reply to 1 [link] [source] 

> "Database error: attempt to write a readonly database: {REPLACE INTO config(name,value) VALUES('captcha-secret', lower(hex(randomblob(20))));}"

Isn't  the  "config"  database  subject to  FOSSIL_HOME?  Where  is  the
FOSSIL_HOME for this?  If it's unable to determine a  HOME directory, it
may be using / which in your case is unlikely to be writable by apache.

Andy

(9.1) By Andy Bradford (andybradford) on 2023-11-30 05:43:58 edited from 9.0 in reply to 8.1 [link] [source] 

> Isn't  the  "config"  database  subject to  FOSSIL_HOME?

Maybe I'm  thinking of  "global_config" which isn't  likely used  in CGI
mode.

Andy