RE: [error] (13)Permission denied: accept: (client socket)

Glen S Mehn Tue, 05 Jun 2001 09:54:52 -0700
Can you attatch a copy of your httpd.conf file?

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Rossen Raykov
Sent: Tuesday, June 05, 2001 03:05 PM
To: [EMAIL PROTECTED]
Subject: Re: [error] (13)Permission denied: accept: (client socket)


Hi,

# uname -a
SunOS MyHost 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10
# netstat -an | grep 80
x.x.x.x.80          *.*                0      0 24576      0 LISTEN
in /etc/syslog.conf I have a line:
*.emerg;*.alert;*.crit;*.err;*.warning;*.info   /var/log/all.log
and there is nothing in it from apache or from the system during the apache
startup and it's live.

#ps -axwu | grep http
root     19919  0.0  1.2 4720 2880 ?        S 07:46:17  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c
root     19920  0.0  1.0 4784 2488 ?        S 07:46:18  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c
root     19921  0.0  1.0 4784 2488 ?        S 07:46:18  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c
root     19922  0.0  1.0 4784 2496 ?        S 07:46:18  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c
root     19923  0.0  1.0 4784 2496 ?        S 07:46:18  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c
root     19924  0.0  1.0 4784 2488 ?        S 07:46:18  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c
root     19928  0.0  1.0 4784 2488 ?        S 07:47:54  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c

This is working fine.

When I change
User root
Group root
to
User www
Group www
the picture is:
# ps -axuw | grep http
root     20222  0.3  1.2 4720 2880 ?        S 10:29:21  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c
www      20224  0.1  0.6 4720 1432 ?        S 10:29:22  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c
www      20226  0.1  0.6 4720 1432 ?        S 10:29:22  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c
www      20223  0.0  0.6 4720 1440 ?        S 10:29:22  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c
www      20225  0.0  0.6 4720 1432 ?        S 10:29:22  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c
www      20227  0.0  0.6 4720 1432 ?        S 10:29:22  0:00
/u01/app/apache/product/current/bin/httpd -d /u01/app/apache/product/c
# netstat -an | grep 80
x.x.x.x.80          *.*                0      0 24576      0 LISTEN
# ls -l /etc/passwd /etc/group
-rw-r--r--   1 root     sys          305 Jun  5 07:35 /etc/group
-r--r--r--   1 root     sys          669 Jun  5 07:34 /etc/passwd
# grep www /etc/passwd /etc/group
/etc/passwd:www:x:100:100:WWW user:/:/sbin/noshell
/etc/group:www::100:
# telnet x.x.x.x 80
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
Connection closed by foreign host.
In truth the connection is established (I traced this with tcpdump and BW it
is seen from the telnet response).
The problem is that immediately after that it is terminated and in the log
is written only this error:

[Tue Jun  5 10:29:10 2001] [info] removed PID file /var/run/sys.httpd.pid
(pid=19919)
[Tue Jun  5 10:29:10 2001] [notice] caught SIGTERM, shutting down
[Tue Jun  5 10:29:20 2001] [info] mod_unique_id: using ip addr x.x.x.x
[Tue Jun  5 10:29:21 2001] [info] mod_unique_id: using ip addr x.x.x.x
[Tue Jun  5 10:29:22 2001] [notice] Apache configured -- resuming normal
operations
[Tue Jun  5 10:29:22 2001] [info] Server built: Jun  5 2001 07:09:49
[Tue Jun  5 10:30:32 2001] [error] (13)Permission denied: accept: (client
socket)
Initialy I tried a binaries that are working on a different box with the
same OS but on it Solaris is set different.
After some tests with different user names/ids (www and nobody) i recompiled
apache using the following configuration:

EXTRA_CFLAGS=-DBIG_SECURITY_HOLE
./configure  --with-apac
e=../apache_1.3.19 --wit
-ssl=../openssl-0.9.6
 --with-mm=../mm-1.1.
 --enable-module=all --e
able-shared=max --prefix
/u01/app/apache/product/
.3.19 --enable-rule=EAP
 --server-uid=root --server-gid=root -DBIG_SECURITY_HOLE
After that I was able to start the server like using user/group root in the
config file and it is working perfect!
In the same installation if I change user/group to www the children are not
serving the requests!
>From the commands above is well seen that the server is running - there is
a
master copy owned by root and children owned by www and also netstat is
showing that it is listening to port 80.
Also telnet is making connection to the server but ... it is immediately
terminated!
This drives me greasy and I almost ca not believe it but is thru!
The only one that I can think is that somehow Solaris in this particular
configuration/system settings is not allowing other users to use ports under
1024.
Never mind that they are actually reusing existing connection established by
the master!!!
Attached is the config file.
And since the directory /var/sys/proxy is mentioned there:

# ls -l /var/sys/
total 2
drwxr-xr-x   2 www      www          512 Jun  5 07:47 proxy

BW the TCP/IP stack on the server is working since I'm using it to make ssh
connections and there is ntpd server running on it which is also proven to
work.
Actually even apache is working but only if it is set to work from root L

Any ideas are appreciated!

Regards,
Rossen

PS x.x.x.x stands for the same IP address in both the screen dumps and the
httpd.conf file.

----- Original Message -----
From: "McCaffity, Ray" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 05, 2001 9:45 AM
Subject: RE: [error] (13)Permission denied: accept: (client socket)


> There is no reason that Solaris won't let you run child processes as
someone
> besides root.  All my servers are set up this way.  Which version of
> Solaris?
> x86 or Sparc? 64 or 32-bit?  Some places to look are /var/adm/messages
> ../path/to/apache/logs/error_log and dmesg.  Also when you do a netstat -a
|
> grep 80
> or 443 do you see anything?  Dumb question, but are you sure the Apache
> process
> is running?  ps-ef | grep httpd | wc -l   Question? Why don't you want the
> parent process
> to run as root?  I'm pretty sure you'll also have to un-edit the #Listen
and
> #Port lines
> and change these to a port higher than 1024 if you don't want to run the
> parent process
> as root.
>
> -----Original Message-----
> From: Rossen Raykov [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 05, 2001 1:45 PM
> To: [EMAIL PROTECTED]
> Subject: [error] (13)Permission denied: accept: (client socket)
>
>
> Hi All,
>
> The question is a little out of the list but I was not able to find answer
> of this anywhere, so please excuse me and help me if you can.
>
> When I�m accessing the apache server I�m getting the following error:
>
> [error] (13)Permission denied: accept: (client socket)
>
> I�m running apache 1.3.19 with mod_ssl 2.8.3 on Solaris 8 on spark.
> There are no more messages even when LogLevel is set to debug.
> When I make telnet connection the server it is closed immediately with the
> message �Connection closed by foreign host.�.
>
> BW The same compilation runs without any problem on a second box with the
> same OS but with different system configuration.
>
> I think there is an OS restriction that is preventing the server children
to
> make connections if they are owned from anyone but root.
> I tried with default Solaris user nobody:nobody (60001:60001) and with
> www:www (100:100) without success.
> The httpd.conf is correct since when I compiled apache with
> EXTRA_CFLAGS=-DBIG_SECURITY_HOLE and run it from root:root it is working
> fine without any complaint.
>
> I think there is something in the OS that is preventing the server to be
run
> by different than root user.
>
> Do you have any Idea what I have to check/change or is there a better list
> to which I can address this?
>
> Regards,
> Rosen
>
>
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
RE: [error] (13)Permission denied: accept: (client socket)

Reply via email to
