Participants
Chris Cosner
Chris Cosner
Peter Eisentraut
Peter Eisentraut
Devrim GÜNDÜZ
Devrim GÜNDÜZ
Attachments
Show all attachments
Thread Outline
#1Chris CosnerChris Cosner
Jul 10, 2008
#2Peter EisentrautPeter Eisentrautto Chris Cosner (#1)
Jul 10, 2008
#3Chris CosnerChris Cosnerto Peter Eisentraut (#2)
Jul 10, 2008
#4Devrim GÜNDÜZDevrim GÜNDÜZto Chris Cosner (#3)
Jul 10, 2008
#5Chris CosnerChris Cosnerto Devrim GÜNDÜZ (#4)
Jul 10, 2008

apache permission denied

Started by Chris Cosneralmost 18 years ago5 messagesgeneral
Jump to latest
#1Chris Cosner
Chris Cosner
ccosner@stanford.edu

Using RHEL 5, with Postgresql 8.1, Apache, mod_perl, mod_auth_pgsql,
DBI, DBD::Pg

Perl cgi scripts that access the database get the following in httpd
error_log:
DBI connect('dbname=db','',...) failed: could not connect to server:
Permission denied

A direct test with a simple SQL command in the file, "command"
# sudo -u apache psql db < command
psql: FATAL: role "apache" is not permitted to log in

At the psql command line, \z shows
apache=arwdRxt
for all tables

And httpd.conf definitely has
User apache
Group apache

I have restarted httpd and postmaster and the machine. These scripts
work with postgresql 7x, but the grant syntax is different in 8x, so I
wonder if the problem is how to grant apache privileges, or some extra
step I'm missing.

#2Peter Eisentraut
Peter Eisentraut
peter_e@gmx.net
In reply to: Chris Cosner (#1)
Re: apache permission denied

Am Donnerstag, 10. Juli 2008 schrieb Chris Cosner:

Using RHEL 5, with Postgresql 8.1, Apache, mod_perl, mod_auth_pgsql,
DBI, DBD::Pg

Perl cgi scripts that access the database get the following in httpd
error_log:
DBI connect('dbname=db','',...) failed: could not connect to server:
Permission denied

An strace of the program would probably give definite insight, but "Permission
denied" sounds to me like a file system error message. Possibly, you don't
have proper permissions (at least u+x) on the socket file (in (/tmp). But
you would have to have done serious "customization" to get to that state.
Mayb you have some fancy security configured around your Apache instance?

A direct test with a simple SQL command in the file, "command"
# sudo -u apache psql db < command
psql: FATAL: role "apache" is not permitted to log in

That is a different issue, which the DBI route above would likely also
complain about if it managed to get by the Permission denied stage.

At the psql command line, \z shows
apache=arwdRxt
for all tables

That is yet another different issue :) which will only matter once the apache
role manages to log in and try to read a table.

And httpd.conf definitely has
User apache
Group apache

I have restarted httpd and postmaster and the machine. These scripts
work with postgresql 7x, but the grant syntax is different in 8x, so I
wonder if the problem is how to grant apache privileges, or some extra
step I'm missing.

Note that "postgresql 7x" and "8x" are about as useful classifications
as "Linux 1" and "Linux 2". Please be more precise. Yes, somewhere along
the line the syntax did change, but if that were the problem, you would get
an error message about it.

#3Chris Cosner
Chris Cosner
ccosner@stanford.edu
In reply to: Peter Eisentraut (#2)
Re: apache permission denied

Peter Eisentraut wrote:

Am Donnerstag, 10. Juli 2008 schrieb Chris Cosner:

Using RHEL 5, with Postgresql 8.1, Apache, mod_perl, mod_auth_pgsql,
DBI, DBD::Pg

Perl cgi scripts that access the database get the following in httpd
error_log:
DBI connect('dbname=db','',...) failed: could not connect to server:
Permission denied

An strace of the program would probably give definite insight, but "Permission
denied" sounds to me like a file system error message. Possibly, you don't
have proper permissions (at least u+x) on the socket file (in (/tmp). But
you would have to have done serious "customization" to get to that state.
Mayb you have some fancy security configured around your Apache instance?

Thanks--SELinux was in fact enabled, and when I set it to permissive
(i.e., audit only), httpd error_log now gives a login error:

DBI connect('dbname=db','',...) failed: FATAL: role "apache" is not
permitted to log in at /home/www/cgi-bin/db.lib line 1635

The postgresql version is 8.1.11

#4Devrim GÜNDÜZ
Devrim GÜNDÜZ
devrim@gunduz.org
In reply to: Chris Cosner (#3)
Re: apache permission denied

On Thu, 2008-07-10 at 11:49 -0700, Chris Cosner wrote:

DBI connect('dbname=db','',...) failed: FATAL: role "apache" is not
permitted to log in at /home/www/cgi-bin/db.lib line 1635

What about:

ALTER ROLE apache LOGIN;

-HTH.
--
Devrim GÜNDÜZ
devrim~gunduz.org, devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr
http://www.gunduz.org

#5Chris Cosner
Chris Cosner
ccosner@stanford.edu
In reply to: Devrim GÜNDÜZ (#4)
Re: apache permission denied

ALTER ROLE apache LOGIN

It now works! Thank you Devrim and Peter for your help.

Devrim GÜNDÜZ wrote:

Show quoted text

On Thu, 2008-07-10 at 11:49 -0700, Chris Cosner wrote:

DBI connect('dbname=db','',...) failed: FATAL: role "apache" is not
permitted to log in at /home/www/cgi-bin/db.lib line 1635

What about:

ALTER ROLE apache LOGIN;

-HTH.

← Back to Topics