创建新的Expect对象时,cgi-perl文件中的Apache [PTY错误] [英] Apache [PTY Errors] in cgi-perl file while creating a new Expect object
问题描述
我有一个perl脚本:
I have a perl script:
#!/usr/bin/perl -w
use DateTime;
use Expect;
use IO::Pty;
use CGI::Fast;
while($q = new CGI::Fast){
my $ip = $q->param('ip');
my $folder = $q->param('folder');
my $username = $q->param('username');
my $password = $q->param('password');
print "Content-type: text/html\r\n\r\n";
print "<head>\n<title>FastCGI</title>\n\</head>";
print "<h3> $ip - $folder - $username - $password </h3>";
my $ssh = new Expect;
if($ssh->spawn("ssh -q -l $username $ip")){
print "<h4>Connexion OK</h4>";
} else {
print "Error\n";
die "Connexion failed, $!";
}
}
执行此脚本会在我的Apache中产生一些错误'错误日志:
The execution of this script create some errors in my Apache'Error-log:
[error] [client x.x.x.x] pty_allocate(nonfatal): posix_openpt(): Permission denied at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] pty_allocate(nonfatal): getpt(): No such file or directory at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] pty_allocate(nonfatal): openpty(): No such file or directory at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] pty_allocate(nonfatal): open(/dev/ptmx): Permission denied at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] Cannot open a pty at /var/www/cgi-bin/cgi2.pl line 18, referer: http://y.y.y.y/login
我理解该错误,因为它说无法打开PTY(使用 new Expect 命令)。
I understand the error as it says it can't open a PTY (with the new Expect command).
这真的是权限问题(以及解决方法),还是不可能在cgi文件中使用期望命令?
Is it really a problem of permission (and how to fix that) or is it impossible to use the Expect command in a cgi file?
感谢您的建议...。
推荐答案
这是因为httpd_sys_script_t没有selinux权限来读取/写入pty ,但以下selinux政策将允许它:
This is because httpd_sys_script_t doesn't have selinux permissions to read/write a pty, but the following selinux policy will allow it:
policy_module(httpd_pty,1.0)
require {
type httpd_sys_cript_t;
type ptmx_t;
class chr_file { read write };
}
allow httpd_sys_script_t ptmx_t:chr_file { read write };
您也许可以更改为类chr_file rw_chr_file_perms; 和允许httpd_sys_script_t ptmx_t:chr_file rw_chr_file_perms; ,具体取决于您的selinux策略的最新程度。
You might be able to change to class chr_file rw_chr_file_perms;, and allow httpd_sys_script_t ptmx_t:chr_file rw_chr_file_perms;, depending on how recent your selinux policy is. The above will work with rhel5, the macro in this line will work with rhel6.
或者,来自#selinux在freenode上的建议:
Or, from advice from #selinux on freenode:
mkdir ~/myhttpd
cd ~/myhttpd
echo "policy_module(myhttpd,1.0.0) optional_policy(\` apache_content_template(myscript)')" > myhttpd.te
echo "/home/httpd/foo/cgi-bin/test.pl -- gen_context(system_u:object_r:httpd_myscript_script_exec_t,s0)" > myhttpd.fc
make -f /usr/share/selinux/devel/Makefile myhttpd.pp
sudo semodule -i myhttpd.pp
基本上,apache策略可以创建您自己的内容类型。在上面的代码片段中为您的脚本创建内容类型。然后使用新的avc拒绝并将其添加到上面的策略文件myhttpd.te中。这样一来,您就可以禁止所有httpd进程访问您指定的pty进程。之后,您可能会执行以下操作:
Basically, the apache policy has a way to create your own content type. Create the content type for your script in the above code fragment. Then use your new avc denials and add to the policy file myhttpd.te above. This will keep you from allowing all httpd processes from accessing pty's, just the one you specify. You would probably do the following afterwards:
allow httpd_myscript_script_t ptmx_t:chr_file rw_chr_file_perms;
添加到myhttpd.te的末尾(或您要调用的模块),然后重新编译和加载(上面的make和semodule)。
added onto the end of myhttpd.te (or whatever you want to call the module), and recompile and load (make and semodule above).
这篇关于创建新的Expect对象时,cgi-perl文件中的Apache [PTY错误]的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
