Re: Fedora 40 apache now giving errors
On 4/24/24 06:50 AM, Tom Hughes wrote: On 24/04/2024 02:28, Xose Vazquez Perez wrote: # mkdir /etc/systemd/system/httpd.service.d/ # vi /etc/systemd/system/httpd.service.d/override.conf [Service] ProtectHome=false Better than just opening up whole trees again would be to use ReadWritePaths= to specify which paths should be allowed for writing. Creating the override.conf to allow write access to /home worked. But I can see the point that this could be dangerous, so I'll investigate how to use the ReadWritePaths variable. BTW, selinux was not involved, because I have it turned off. So it looks like the systemd changes were what broke httpd. Thanks all for the help - I'm back in business. Steve -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Fedora 40 apache now giving errors
On 24/04/2024 02:28, Xose Vazquez Perez wrote: # mkdir /etc/systemd/system/httpd.service.d/ # vi /etc/systemd/system/httpd.service.d/override.conf [Service] ProtectHome=false Better than just opening up whole trees again would be to use ReadWritePaths= to specify which paths should be allowed for writing. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Fedora 40 apache now giving errors
On Tue, Apr 23, 2024 at 08:52:18PM -0400, Steven A. Falco wrote: > I upgraded to F40, and suddenly an apache cgi script that was working > perfectly in F39 (and earlier) is giving me a "Read-only file system" error > when trying to write data into a file. > > The directory where the cgi is trying to write is owned by > apache:apache, and it is mode 777. The file the cgi is trying to > write to is also owned by apache:apache and is mode 666. > > If I manually run the cgi (a trivial perl script), it works perfectly, > but apache gives the "Read-only file system" error. Apache can read > the file fine, it just cannot write to it. > > I also tried having the cgi simply touch a file in /tmp, and that fails too. > > Any suggestions gratefully accepted. As Xose suggests it is likely related to the new systemd hardening restrictions which are applied for httpd from Fedora 40. There is a bit more information in "man httpd.service." Exactly what directory are you trying to write to? /usr is blocked by ProtectSystem=yes, /home is blocked by ProtectHome=yes, for example. Writing to /tmp works fine OOTB for a trivial CGI in /var/www/cgi-bin for me - if that is failing you please file a bug. (Because PrivateTmp has been used for a *long* time in httpd, httpd's /tmp is different to the system /tmp) Regards, Joe -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Fedora 40 apache now giving errors
Steven A. Falco wrote: I upgraded to F40, and suddenly an apache cgi script that was working perfectly in \ F39 (and earlier) is giving me a "Read-only file system" error when trying to write \ data into a file. The directory where the cgi is trying to write is owned by apache:apache, and it is \ mode 777. The file the cgi is trying to write to is also owned by apache:apache and \ is mode 666. If I manually run the cgi (a trivial perl script), it works perfectly, but apache \ gives the "Read-only file system" error. Apache can read the file fine, it just \ cannot write to it. I also tried having the cgi simply touch a file in /tmp, and that fails too. Any suggestions gratefully accepted. # mkdir /etc/systemd/system/httpd.service.d/ # vi /etc/systemd/system/httpd.service.d/override.conf [Service] ProtectHome=false # systemctl daemon-reload # systemctl restart httpd.service -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Fedora 40 apache now giving errors
Steven A. Falco wrote: > I upgraded to F40, and suddenly an apache cgi script that was working > perfectly in F39 (and earlier) is giving me a "Read-only file system" > error when trying to write data into a file. > > The directory where the cgi is trying to write is owned by > apache:apache, and it is mode 777. The file the cgi is trying to write > to is also owned by apache:apache and is mode 666. > > If I manually run the cgi (a trivial perl script), it works perfectly, > but apache gives the "Read-only file system" error. Apache can read the > file fine, it just cannot write to it. > > I also tried having the cgi simply touch a file in /tmp, and that fails > too. > > Any suggestions gratefully accepted. Check for SELinux issues? ausearch -m AVC -ts today or "recent" if you re-run the cgi to minimize seeing any other issues. HTH rob -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Fedora 40 apache now giving errors
I upgraded to F40, and suddenly an apache cgi script that was working perfectly in F39 (and earlier) is giving me a "Read-only file system" error when trying to write data into a file. The directory where the cgi is trying to write is owned by apache:apache, and it is mode 777. The file the cgi is trying to write to is also owned by apache:apache and is mode 666. If I manually run the cgi (a trivial perl script), it works perfectly, but apache gives the "Read-only file system" error. Apache can read the file fine, it just cannot write to it. I also tried having the cgi simply touch a file in /tmp, and that fails too. Any suggestions gratefully accepted. Steve -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
