User Tools

Site Tools


installation:selinuxapache

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

installation:selinuxapache [2016/03/10 17:39] (current)
admin created
Line 1: Line 1:
 +===== Running GAMS under Apache on SELinux protected machine =====
  
 +On a apache-webserver that runs SELinux, the apache user does not have sufficient permissions to execute GAMS (e.g., from a PHP script).
 +This can be overcome by wrapping the GAMS call into a separate executable, which is then excluded from SELinux security:
 +
 +   - Create a wrapper C executable that will call GAMS in the GAMS system directory:<​code>​
 +#include <​stdlib.h>​
 +#include <​sys/​types.h>​
 +#include <​unistd.h>​
 +     
 +int main (int argc, char *argv[])
 +{
 +   ​setuid (0);
 +     
 +   /* WARNING: Only use an absolute path to the script to execute,
 +    *          a malicious user might fool the binary and execute
 +    *          arbitary commands if not.
 +    */
 +     
 +   ​system ("gams /​var/​www/​html/​gams/​model.gms"​);​
 +   ​return 0;
 +}
 +</​code>​
 +   - Compile the wrapper file, e.g., ''​gcc wrapper.c gams_root''​
 +   - Change the owner of ''​gams_root''​ to root and give permissions to r+x all users.
 +   - Give apache read and write permissions on the folder that includes ''​gams_root'':<​code>​
 +sudo chcon -t httpd_sys_content_t /​var/​www/​html/​gams
 +sudo chcon -t httpd_sys_rw_content_t /​var/​www/​html/​gams
 +</​code>​
 +   - Exclude ''​gams_root''​ binary from SELinux security:<​code>​
 +sudo chcon -t httpd_unconfined_script_exec_t /​var/​www/​html/​gams/​gams_root
 +</​code>​
IMPRESSUM / LEGAL NOTICEPRIVACY POLICY installation/selinuxapache.txt ยท Last modified: 2016/03/10 17:39 by admin