Discussion:
[Tutor] my membership and access to the Tutor list
Alan Gauld
2015-05-08 09:33:38 UTC
Permalink
Hi Alan
I thought my membership was complete and that I could log in to answer
your comments.
The tutor list is a mailing list not a web forum. You don't login to answer
comments you send an email reply. Use Reply to send to the individual
(as you've just done with me) or, more usually, use ReplyAll (or ReplyList
if your mail tool has that feature) to reply to everyone on the list.

Use plain text to preserve code layout and use interleaved posting
(as I'm doing here) rather than top-posting.
I found I could not login again. PLEASE can you help to get my
password reset?
Only you can change the password, its purely web based. I only
approve messages in the moderation queue, virtually nothing else.
But the password just gives you access to your admin settings.
I think I am failing to understand what user and or group permissions
are required between apache python, and the python myUnix2.cgi program
I am using.
OK, I'm no expert here but several things about your program
have me puzzled.

First remember that the web server will have its own user account
and thus your code is effectively being run by another user. So any
permissions on your files need to allow that user to have access.
This is obviously a security risk and the reason its best not to have
web programs accessing files in a users area but to copy any files
needed into the web server space.
This program script is listed below, hopefully with spaces corrected
Spacing is now legal, but you should increase the indentation to
make it more readable. Consider 2 spaces as the absolute minimum,
most people use 3 or 4. If you ever submit code to the Python
standard library it must use 4 spaces. One space makes the
indentation hard to line up and almost defeats the point of
having it.
path to uds_socket corrected as Felix Dietricl suggested may be and Issue.
1) From my user directory I issued the script Unix2.cgi to
a listening Unix sockets server and this worked OK.
2) the permissions of Unix2.cgi are:-
-rwxrwxrwx. 1 johnlawton johnlawton 987 May 7 17:55 myUnix2.cgi
This is not good from security but surely proves the script can execute if
permissions are not considered.
3)This file is copied to the apache cgi directory /var/www/cgi-bin
with the permissions
forced as
-rwxrwxrwx. 1 johnlawton johnlawton 987 May 7 18:19
../../../var/www/cgi-bin/myUnix2.cgi
4) Execution of the cgi script directly works OK.
OK, Permissions of the cgi script are not critical they just need to be
executable to the web server. So you could have ---r-xrwx and it should
be more secure and work OK. What is important is that you change
ownership to whatever the apache user account is (local config, I can't
help there you'll need to look at the files).
5) http is enabled in the fedora firewall
6)The apache server is started using sudo systemctl start httpd.service.
When firefox is used to have Unix2.cgi executed the localhost receives
the following error report.
File "/var/www/cgi-bin/myUnix2.cgi", line 37, in <module>
creSockettoServer()
File "/var/www/cgi-bin/myUnix2.cgi", line 26, in creSockettoServer
sys.exit(1)
SystemExit: 1
7) The copy process of myUnix2.cgi from my user directory to
/var/www/cgi-bin
but setting user and group to root with full permissions results in
-rwxrwxrwx. 1 root root 987 May 7 18:45
../../../var/www/cgi-bin/myUnix2.cgi
OK, But I sincerely hope the web server is NOT running as root, that
would be
a security disaster and a crackers paradise!
8)When firefox is used to have Unix2.cgi executed the localhost
receives the
same error report given under 6).
9) summary since the 'o' permissions are forced to rwx the script
should execute
no matter what use group are specified?
10) How do I establish neccessary cgi permissions?
The problems are not with your script but with the socket you are trying to
create, or the path to it. Its those permissions that likely need to be
changed.
#!/usr/bin/env python
import cgi
import socket
import sys
print("""Content-type:text/html\n\n
<DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title> MyServer Template </title>
</head>
<body>""")
print("""<body/>
</html> """ )
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
server_address = '/home/johnlawton/workspace/myUnixSock/uds_socket'
I confess I've never used a socket like this, indeed I was only
vaguely aware of their existence! I assume you have previous
experience of using UNIX domain sockets (in C?) since there
is relatively little tutorial help out there.

I've always used sockets for IP and given an IP address to the socket.
So I can only guess what's going on in your case. Can I ask what you
are trying to do in your program that you need UNIX sockets? Just curious.
Also one thing that occurs to me - have you made sure the socket file
is being deleted each time before you run the program? An existing
socket file may well cause your problems.

Back to the issue at hand...
Can you write a simpler CGI script that just prints data or similar?
That way you can check that your CGI setup is working first
and then focus on the issue of opening the socket. I'm a big believer
in solving one problem at a time.

In fact you could then write a second script that reads your socket
folder and prints a dir listing using os.listdir() or glob() or similar to
prove basic access is OK. It might also print some info about the
user so that you know which account is running your scripts.

Armed with that information you can then tackle the issue of
creating your socket file.

I've CCd the list so that others can contribute too.
--
Alan G
Author of the Learn to Program web site
http://www.alan-g.me.uk/
http://www.amazon.com/author/alan_gauld
Follow my photo-blog on Flickr at:
http://www.flickr.com/photos/alangauldphotos

_______________________________________________
Tutor maillist - ***@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
Alan Gauld
2015-05-12 19:01:34 UTC
Permalink
Forwarding to the list for comment.
Always use Reply All9Or Reply List if your mailer supports it)
when including the list members.

Alan G
Hi Alan
I have worked though the file permissions cogniscent of your
comments to see if I can find what
is failing in apache access to a python created unix socket. Points 1)
,..., 12) give the results.
In particular I do not understand how to set the user of uds_socket to
apache or set the write permission of
uds_socket group to rwx. I think that either change should enable
successful operation, comments please!
I chose Unix Sockets since I had very similar access problems with IP
sockets.
I would like to remote control an embedded device from a laptop. The
target will be Raspberrypi that in turn communicates to ARM Cortex M3
devices that are capable of correct Nyquist sampling, that Unix based
devices cannot guarantee. I chose Python since it is so widely used
and I need to learn that language processor. I appreciate there are
many ways other ways of achieving this end but I think this one ought
to work!
Many Thanks for your help,
Stewart Lawton
1) /etc/httpd/conf/httpd.conf species the apache server user and group
as:-
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache
Group apache
2)apache is started with command sudo ./startapache that contains:-
systemctl start httpd.service
3) the process status of apache is found by command ps -el
the following is taken from the status report:-
F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD
4 S 0 2226 1 0 80 0 - 7493 poll_s ? 00:00:00 httpd
5 S 48 2227 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd
5 S 48 2228 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd
5 S 48 2229 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd
5 S 48 2230 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd
5 S 48 2233 2226 0 80 0 - 7493 inet_c ? 00:00:00 httpd
4) The user identity UID ,48,is used to find the user and group given
in /etc/passwd :-
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
The user and group identies are given as 48:48 so the user and group
are apache and apache.
5)The above hopefully establishes that the server has permissions on
user and groups named as apache.
6)I created a test directory at /test to be used to contain the file
node uds_socket.
drwxrwxr-x. 2 apache apache 4096 May 11 20:15 test
7) on starting the Socket server that listens for an incoming connection
the new uds_socket is created with user and group permissions as shown:-
srwxr-xr-x. 1 johnlawton apache 0 May 12 10:22 /test/uds_socket
8)I do not understand what function the s bit performs here.
I note that group access cannot write the file.
9) When I execute the myUnix2.cgi script from /var/www/cgi_bin with
johnlawton as user with primary group apache the script executes and
the listening server responds correctly. I note johnlawton has rwx
access but the group apache access is limited to r-x.
10) When the apache server executes the myUnix2.cgi script failure
results in failing to access the socket.
11) Summary. I think the server fails as it can only get group access
and group access is limited to
r-x NO w permission.
12) How can I get UDS_Socket to be created with apache as user(hence
allowing rwx) or enable apache group access with w permission?
------------------------------------------------------------------------
*Sent:* Friday, 8 May 2015, 10:33
*Subject:* Re: my membership and access to the Tutor list
Hi Alan
I thought my membership was complete and that I could log in to answer
your comments.
The tutor list is a mailing list not a web forum. You don't login to answer
comments you send an email reply. Use Reply to send to the individual
(as you've just done with me) or, more usually, use ReplyAll (or ReplyList
if your mail tool has that feature) to reply to everyone on the list.
Use plain text to preserve code layout and use interleaved posting
(as I'm doing here) rather than top-posting.
I found I could not login again. PLEASE can you help to get my
password reset?
Only you can change the password, its purely web based. I only
approve messages in the moderation queue, virtually nothing else.
But the password just gives you access to your admin settings.
I think I am failing to understand what user and or group permissions
are required between apache python, and the python myUnix2.cgi program
I am using.
OK, I'm no expert here but several things about your program
have me puzzled.
First remember that the web server will have its own user account
and thus your code is effectively being run by another user. So any
permissions on your files need to allow that user to have access.
This is obviously a security risk and the reason its best not to have
web programs accessing files in a users area but to copy any files
needed into the web server space.
This program script is listed below, hopefully with spaces corrected
Spacing is now legal, but you should increase the indentation to
make it more readable. Consider 2 spaces as the absolute minimum,
most people use 3 or 4. If you ever submit code to the Python
standard library it must use 4 spaces. One space makes the
indentation hard to line up and almost defeats the point of
having it.
path to uds_socket corrected as Felix Dietricl suggested may be and
Issue.
1) From my user directory I issued the script Unix2.cgi to
a listening Unix sockets server and this worked OK.
2) the permissions of Unix2.cgi are:-
-rwxrwxrwx. 1 johnlawton johnlawton 987 May 7 17:55 myUnix2.cgi
This is not good from security but surely proves the script can
execute if
permissions are not considered.
3)This file is copied to the apache cgi directory /var/www/cgi-bin
with the permissions
forced as
-rwxrwxrwx. 1 johnlawton johnlawton 987 May 7 18:19
../../../var/www/cgi-bin/myUnix2.cgi
4) Execution of the cgi script directly works OK.
OK, Permissions of the cgi script are not critical they just need to be
executable to the web server. So you could have ---r-xrwx and it should
be more secure and work OK. What is important is that you change
ownership to whatever the apache user account is (local config, I can't
help there you'll need to look at the files).
5) http is enabled in the fedora firewall
6)The apache server is started using sudo systemctl start httpd.service.
When firefox is used to have Unix2.cgi executed the localhost receives
the following error report.
File "/var/www/cgi-bin/myUnix2.cgi", line 37, in <module>
creSockettoServer()
File "/var/www/cgi-bin/myUnix2.cgi", line 26, in creSockettoServer
sys.exit(1)
SystemExit: 1
7) The copy process of myUnix2.cgi from my user directory to
/var/www/cgi-bin
but setting user and group to root with full permissions results in
-rwxrwxrwx. 1 root root 987 May 7 18:45
../../../var/www/cgi-bin/myUnix2.cgi
OK, But I sincerely hope the web server is NOT running as root, that
would be
a security disaster and a crackers paradise!
8)When firefox is used to have Unix2.cgi executed the localhost
receives the
same error report given under 6).
9) summary since the 'o' permissions are forced to rwx the script
should execute
no matter what use group are specified?
10) How do I establish neccessary cgi permissions?
The problems are not with your script but with the socket you are trying to
create, or the path to it. Its those permissions that likely need to be
changed.
#!/usr/bin/env python
import cgi
import socket
import sys
print("""Content-type:text/html\n\n
<DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title> MyServer Template </title>
</head>
<body>""")
print("""<body/>
</html> """ )
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
server_address = '/home/johnlawton/workspace/myUnixSock/uds_socket'
I confess I've never used a socket like this, indeed I was only
vaguely aware of their existence! I assume you have previous
experience of using UNIX domain sockets (in C?) since there
is relatively little tutorial help out there.
I've always used sockets for IP and given an IP address to the socket.
So I can only guess what's going on in your case. Can I ask what you
are trying to do in your program that you need UNIX sockets? Just curious.
Also one thing that occurs to me - have you made sure the socket file
is being deleted each time before you run the program? An existing
socket file may well cause your problems.
Back to the issue at hand...
Can you write a simpler CGI script that just prints data or similar?
That way you can check that your CGI setup is working first
and then focus on the issue of opening the socket. I'm a big believer
in solving one problem at a time.
In fact you could then write a second script that reads your socket
folder and prints a dir listing using os.listdir() or glob() or similar to
prove basic access is OK. It might also print some info about the
user so that you know which account is running your scripts.
Armed with that information you can then tackle the issue of
creating your socket file.
I've CCd the list so that others can contribute too.
--
Alan G
Author of the Learn to Program web site
http://www.alan-g.me.uk/
http://www.amazon.com/author/alan_gauld
http://www.flickr.com/photos/alangauldphotos
--
Alan G
Author of the Learn to Program web site
http://www.alan-g.me.uk/
http://www.amazon.com/author/alan_gauld
Follow my photo-blog on Flickr at:
http://www.flickr.com/photos/alangauldphotos

_______________________________________________
Tutor maillist - ***@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
Stewart Lawton
2015-05-13 07:58:14 UTC
Permalink
From: Alan Gauld <***@btinternet.com>
To: Stewart Lawton <***@yahoo.co.uk>; tutor <***@python.org>
Sent: Tuesday, 12 May 2015, 20:01
Subject: Re: my membership and access to the Tutor list

Forwarding to the list for comment.
Always use Reply All9Or Reply List if your mailer supports it)
when including the list members.

Alan G
Hi Alan
  I have worked though the file permissions cogniscent of  your
comments to see if  I can find what
is failing in apache access to a python created unix socket. Points 1)
,..., 12) give the results.
In particular I do not understand how to set the user of uds_socket to
apache or set the write permission of
uds_socket group to rwx. I think that either change should enable
successful operation, comments please!
I chose Unix Sockets since I had very similar access problems with IP
sockets.
I would like to remote control an embedded device from a laptop. The
target will be Raspberrypi that in turn communicates to ARM Cortex M3
devices that are capable of  correct Nyquist sampling, that Unix based
devices cannot guarantee. I chose Python since it is so widely used
and I need to learn that language processor. I appreciate there are
many ways other ways of achieving this end but I think this one ought
to work!
Many Thanks for your help,
Stewart Lawton
1) /etc/httpd/conf/httpd.conf species the apache server user and group
as:-
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache
Group apache
2)apache is started with command sudo ./startapache that contains:-
systemctl start httpd.service
3) the process status of apache is found by command ps -el
the following is taken from the status report:-
F S  UID  PID  PPID  C PRI  NI ADDR SZ WCHAN  TTY TIME CMD
4 S    0  2226    1  0  80  0 -  7493 poll_s ? 00:00:00 httpd
5 S    48  2227  2226  0  80  0 -  7493 inet_c ? 00:00:00 httpd
5 S    48  2228  2226  0  80  0 -  7493 inet_c ? 00:00:00 httpd
5 S    48  2229  2226  0  80  0 -  7493 inet_c ? 00:00:00 httpd
5 S    48  2230  2226  0  80  0 -  7493 inet_c ? 00:00:00 httpd
5 S    48  2233  2226  0  80  0 -  7493 inet_c ? 00:00:00 httpd
4) The user identity UID ,48,is used to find the user and group given
in /etc/passwd :-
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
The user and group identies are given as 48:48 so the user and group
are apache and apache.
5)The above hopefully establishes that the server has permissions on
user and groups named as apache.
6)I created a test directory at /test to be used to contain the file
node uds_socket.
drwxrwxr-x.  2 apache apache  4096 May 11 20:15 test
7) on starting the Socket server that listens for an incoming connection
the new uds_socket is created with user and group permissions as shown:-
srwxr-xr-x. 1 johnlawton apache 0 May 12 10:22 /test/uds_socket
8)I do not understand what function the s bit performs here.
  I note that group access cannot write the file.
9) When I execute the myUnix2.cgi script from /var/www/cgi_bin with
johnlawton as user with primary group apache the script executes and
the listening server responds correctly. I note johnlawton has rwx
access but the group apache access is limited  to r-x.
10) When the apache server executes the myUnix2.cgi script failure
results in failing to access the socket.
11) Summary. I think the server fails as it can only get group access
and group access is limited to
r-x NO w permission.
12) How can I get UDS_Socket to be created with apache as user(hence
allowing rwx) or enable apache group access with w permission?
------------------------------------------------------------------------
*Sent:* Friday, 8 May 2015, 10:33
*Subject:* Re: my membership and access to the Tutor list
Hi Alan
I thought my membership was complete and that I could log in to answer
your comments.
The tutor list is a mailing list not a web forum. You don't login to answer
comments you  send an email reply. Use Reply to send to the individual
(as you've just done with me) or, more usually, use ReplyAll (or ReplyList
if your mail tool has that feature) to reply to everyone on the list.
Use plain text to preserve code layout and use interleaved posting
(as I'm doing here) rather than top-posting.
I found I could not login again. PLEASE can you help to get my
password reset?
Only you can change the password, its purely web based. I only
approve messages in the moderation queue, virtually nothing else.
But the password just gives you access to your admin settings.
I think I am failing to understand what user and or group permissions
are required between apache python, and the python myUnix2.cgi program
I am using.
OK, I'm no expert here but several things about your program
have me puzzled.
First remember that the web server will have its own user account
and thus your code is effectively being run by another user. So any
permissions on your files need to allow that user to have access.
This is obviously a security risk and the reason its best not to have
web programs accessing files in a users area but to copy any files
needed into the web server space.
This program script is listed below, hopefully with spaces corrected
Spacing is now legal, but you should increase the indentation to
make it more readable. Consider 2 spaces as the absolute minimum,
most people use 3 or 4. If you ever submit code to the Python
standard library it must use 4 spaces. One space makes the
indentation hard to line up and almost defeats the point of
having it.
path to uds_socket corrected as Felix Dietricl suggested may be and
Issue.
1) From my user directory I issued the script Unix2.cgi to
a listening Unix sockets server and this worked OK.
2) the permissions of Unix2.cgi are:-
-rwxrwxrwx. 1 johnlawton johnlawton  987 May  7 17:55 myUnix2.cgi
This is not good from security but surely proves the script can
execute if
permissions are not considered.
3)This file is copied to the apache cgi directory /var/www/cgi-bin
with the permissions
forced as
-rwxrwxrwx. 1 johnlawton johnlawton 987 May  7 18:19
../../../var/www/cgi-bin/myUnix2.cgi
4) Execution of the cgi script directly works OK.
OK, Permissions of the cgi script are not critical they just need to be
executable to the web server. So you could have ---r-xrwx and it should
be more secure and work OK. What is important is that you change
ownership to whatever the apache user account is (local config, I can't
help there you'll need to look at the files).
5) http is enabled in the fedora firewall
6)The apache server is started using sudo systemctl start httpd.service.
When firefox is used to have Unix2.cgi executed the localhost receives
the following error report.
  File "/var/www/cgi-bin/myUnix2.cgi", line 37, in <module>
    creSockettoServer()
  File "/var/www/cgi-bin/myUnix2.cgi", line 26, in creSockettoServer
    sys.exit(1)
SystemExit: 1
7) The copy process of myUnix2.cgi from my user directory to
/var/www/cgi-bin
but setting user and group to root with full permissions results in
-rwxrwxrwx. 1 root root 987 May  7 18:45
../../../var/www/cgi-bin/myUnix2.cgi
OK, But I sincerely hope the web server is NOT running as root, that
would be
a security disaster and a crackers paradise!
8)When firefox is used to have Unix2.cgi executed the localhost
receives the
same error report given under 6).
9) summary since the 'o' permissions are forced to rwx the script
should execute
no matter what use group are specified?
10) How do I establish neccessary cgi permissions?
The problems are not with your script but with the socket you are trying to
create, or the path to it. Its those permissions that likely need to be
changed.
#!/usr/bin/env python
import cgi
import socket
import sys
  print("""Content-type:text/html\n\n
  <DOCTYPE html>
  <html lang="en">
    <head>
        <meta charset="utf-8" />
        <title> MyServer Template </title>
        </head>
        <body>""")
  print("""<body/>
        </html> """  )
    sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
    server_address = '/home/johnlawton/workspace/myUnixSock/uds_socket'
I confess I've never used a socket like this, indeed I was only
vaguely aware of their existence! I assume you have previous
experience of using UNIX domain sockets (in C?) since there
is relatively little tutorial help out there.
I've always used sockets for IP and given an IP address to the socket.
So I can only guess what's going on in your case. Can I ask what you
are trying to do in your program that you need UNIX sockets? Just curious.
Also one thing that occurs to me - have you made sure the socket file
is being deleted each time before you run the program? An existing
socket file may well cause your problems.
Back to the issue at hand...
Can you write a simpler CGI script that just prints data or similar?
That way you can check that your CGI setup is working first
and then focus on the issue of opening the socket. I'm a big believer
in solving one problem at a time.
In fact you could then write a second script that reads your socket
folder and prints a dir listing using os.listdir() or glob() or similar to
prove basic access is OK. It might also print some info about the
user so that you know which account is running your scripts.
Armed with that information you can then tackle the issue of
creating your socket file.
I've CCd the list so that others can contribute too.
--
Alan G
Author of the Learn to Program web site
http://www.alan-g.me.uk/
http://www.amazon.com/author/alan_gauld
http://www.flickr.com/photos/alangauldphotos
--
Alan G
Author of the Learn to Program web site
http://www.alan-g.me.uk/
http://www.amazon.com/author/alan_gauld
Follow my photo-blog on Flickr at:
http://www.flickr.com/photos/alangauldphotos




_______________________________________________
Tutor maillist - ***@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/
Continue reading on narkive:
Loading...