User Tools

Site Tools


installation:selinuxapache

Running GAMS under Apache on SELinux protected machine

On a apache-webserver that runs SELinux, the apache user does not have sufficient permissions to execute GAMS (e.g., from a PHP script). This can be overcome by wrapping the GAMS call into a separate executable, which is then excluded from SELinux security:

  1. Create a wrapper C executable that will call GAMS in the GAMS system directory:
    #include <stdlib.h>
    #include <sys/types.h>
    #include <unistd.h>
         
    int main (int argc, char *argv[])
    {
       setuid (0);
         
       /* WARNING: Only use an absolute path to the script to execute,
        *          a malicious user might fool the binary and execute
        *          arbitary commands if not.
        */
         
       system ("gams /var/www/html/gams/model.gms");
       return 0;
    }
  2. Compile the wrapper file, e.g., gcc wrapper.c gams_root
  3. Change the owner of gams_root to root and give permissions to r+x all users.
  4. Give apache read and write permissions on the folder that includes gams_root:
    sudo chcon -t httpd_sys_content_t /var/www/html/gams
    sudo chcon -t httpd_sys_rw_content_t /var/www/html/gams
  5. Exclude gams_root binary from SELinux security:
    sudo chcon -t httpd_unconfined_script_exec_t /var/www/html/gams/gams_root
installation/selinuxapache.txt · Last modified: 2016/03/10 16:39 by admin