Serious Privileges Problem: Please Help

Victor Subervi victorsubervi at gmail.com
Mon Nov 9 13:36:31 EST 2009 

Of course. Let me start with some updates to httpd.conf, which didn't help
anyway:

<VirtualHost *:80>
ServerAdmin me at creative.vi
DocumentRoot /var/www/html/angrynates.com
ServerName angrynates.com
Options +ExecCGI -IncludesNoExec
<Directory /var/www/html/angrynates.com/global_solutions>
 Options +ExecCGI
 AllowOverride All
 AllowOverride FileInfo
 #AddHandler mod_python .py
 #PythonHandler mod_python.publisher
 #PythonDebug On
AddHandler cgi-script .cgi .py
Options Includes Indexes SymLinksIfOwnerMatch ExecCGI
<IfModule mod_security.c>
 SecFilterEngine Off
</IfModule>
<IfModule mod_security2.c>
 SecRuleEngine Off
</IfModule>
AddHandler cgi-script .cgi .py
Options Includes Indexes SymLinksIfOwnerMatch ExecCGI

<IfModule mod_security.c>
 SecFilterEngine Off
</IfModule>
<IfModule mod_security2.c>
 SecRuleEngine Off
</IfModule>

</Directory>
</VirtualHost>

Here's index.py:

#!/usr/bin/python

import string
import cgitb; cgitb.enable()
import cgi
import sys,os
sys.path.append(os.getcwd())
from template import template

ourFile = string.split(__file__, "/")
page = ourFile[len(ourFile) - 1][:-3]

form = cgi.FieldStorage()
w = form.getfirst('w', '1024')

template(page, w)


Here's template.py:

#!/usr/bin/python

import cgitb; cgitb.enable()
import cgi
import sys,os
sys.path.append(os.getcwd())

p = 'template'

def template(page, w):
  wn = int(w)/1024
  print "Content-Type: text/html"
  print
  print '''
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "
http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<head xmlns="http://www.w3.org/1999/xhtml">
<style type='text/css'>
.text {  font-family: Arial, Helvetica, sans-serif; font-size: 16px;
text-decoration: none; text-align: justify}
</style>
<title>Global Solutions Group</title>
<meta http-equiv="distribution" content="Global" />
<meta http-equiv="robots" content="index all, follow all" />
<meta name="author" content="This web site developed by beno. You may reach
him at his web site [beno.vi], or by dialing 340-773-0687 and asking for
room 102." />
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_preloadImages() { //v3.0
var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length;
i++)
if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++)
x.src=x.oSrc;
}

function MM_findObj(n, d) { //v4.01
var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length)
{
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++)
x=d.forms[i][n];
for(i=0;!x&&d.layers&&i<d.layers.length;i++)
x=MM_findObj(n,d.layers[i].document);
if(!x && d.getElementById) x=d.getElementById(n); return x;
}

function MM_swapImage() { //v3.0
var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array;
for(i=0;i<(a.length-2);i+=3)
if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc)
x.oSrc=x.src; x.src=a[i+2];}
}
//-->
</script>
</head>
<body
onload="MM_preloadImages('images/office-supplies-on.jpg','images/catalog-on.jpg','images/customer-template-on.jpg','images/forms-on.jpg','images/about-on.jpg','images/contact-on.jpg')">
<script language="JavaScript1.2" src="quickmenu/sample_data.js"></script>
<script language="JavaScript1.2" src="quickmenu/dqm_script.js"></script>'''
  print "<table width='%s' bgcolor='#ffffff' cellpadding='0'
cellspacing='0'><!--" % (str(wn*1008))
  print '--><tr><!--'
  print '--><td><!--'
  print '--><img src="images/top.jpg" width="%s" height="%s" alt="" /><!--'
% (str(wn*1008), str(wn*101))
  print '--></td><!--'
  print '--></tr><tr><!--'
  print '--><td><!--'
  print '--><table align="left" width="%s" cellpadding="0"
cellspacing="0"><!--' % (str(wn*1008))
  print '--><tr><!--'
  print "--><td><img src='images/left.jpg' alt='' width='%s' height='%s'
/></td><!--" % (str(wn*219), str(wn*21))
  print '--><td><a href="index.py"
onMouseOver="MM_swapImage("Home","","images/home-on.jpg",1)"
onMouseOut="MM_swapImgRestore()"><img src="images/home-off.jpg" name="Home"
id="Home" alt="Home" width="%s" height="%s" border="0" /></a></td><!--' %
(str(wn*80), str(wn*21))
  print '--><td><a href="Office_Supplies.py"
onMouseOver="MM_swapImage("office-supplies","","images/office-supplies-on.jpg",1)"
onMouseOut="MM_swapImgRestore()"><img src="images/office-supplies-off.jpg"
name="office-supplies" id="office-supplies" alt="office supplies" width="%s"
height="%s" border="0" /></a></td><!--' % (str(wn*137), str(wn*21))
  print '--><td><a href="Catalog.py"
onMouseOver="MM_swapImage("catalog","","images/catalog-on.jpg",1)"
onMouseOut="MM_swapImgRestore()"><img src="images/catalog-off.jpg"
name="catalog" id="catalog" alt="catalog" width="%s" height="%s" border="0"
/></a></td><!--' % (str(wn*86), str(wn*21))
  print '--><td><a href="Customer_Templates.py"
onMouseOver="MM_swapImage("customer-template","","images/customer-template-on.jpg",1)"
onMouseOut="MM_swapImgRestore()"><img src="images/customer-template-off.jpg"
name="customer-template" id="customer-template" alt="customer template"
width="%s" height="%s" border="0" /></a></td><!--' % (str(wn*145),
str(wn*21))
  print '--><td><a href="Forms.py"
onMouseOver="MM_swapImage("forms","","images/forms-on.jpg",1)"
onMouseOut="MM_swapImgRestore()"><img src="images/forms-off.jpg"
name="forms" id="forms" alt="forms" width="%s" height="%s" border="0"
/></a></td><!--' % (str(wn*84), str(wn*21))
  print '--><td><a href="About_Us.py"
onMouseOver="MM_swapImage("about","","images/about-on.jpg",1)"
onMouseOut="MM_swapImgRestore()"><img src="images/about-off.jpg"
name="about" id="about" alt="about us" width="%s" height="%s" border="0"
/></a></td><!--' % (str(wn*101), str(wn*21))
  print '--><td><a href="Contact_Us.py"
onMouseOver="MM_swapImage("contact","","images/contact-on.jpg",1)"
onMouseOut="MM_swapImgRestore()"><img src="images/contact-off.jpg"
name="contact" id="contact" alt="contact us" width="%s" height="%s"
border=0></a></td><!--' % (str(wn*100), str(wn*21))
  print '--><td><img src="images/right.jpg" alt="" width="%s" height="%s"
/></td><!--' % (str(wn*72), str(wn*21))
  print '''--></tr><!--
--></table><!--
--></tr><tr><!--
--><td><!--'''
  print '--><table width="%s" cellpadding="0" cellspacing="0"><!--' %
(str(wn*1008))
  print '--><tr><!--'
  print '--><td width="%s"><!--' % (str(wn*1008))
  print '--><img src="images/bottom.jpg" width="%s" height="%s" alt=""
/><!--' % (str(wn*1008), str(wn*15))
  print '''--></td><!--
--></tr><tr><!--
--><td><!--
--><table class="text"><tr><td><!--
'''
  print '--><iframe src="%s_frame.py?p=%s&w=%s" width="%s" height="%s"
frameborder="0"></iframe><!--' % (page, page, w, str(wn*988), str(wn*400))
  print '''
--></td><!--
--></tr><!--
--></table>
</body>
</html>
'''

TIA,
V

On Mon, Nov 9, 2009 at 1:14 PM, Rami Chowdhury <rami.chowdhury at gmail.com>wrote:

> On Mon, 09 Nov 2009 09:44:24 -0800, Victor Subervi <
> victorsubervi at gmail.com> wrote:
>
>  Did you give up on me?
>> V
>>
>> On Sun, Nov 8, 2009 at 12:40 PM, Victor Subervi <victorsubervi at gmail.com
>> >wrote:
>>
>>  [root at 13gems angrynates.com]# chcon -R -h
>>> unconfined_u:object_r:httpd_sys_content_t global_solutions/*
>>>
>>> Then I surfed to
>>> http://209.216.9.56/global_solutions/index.py
>>>
>>> [root at 13gems angrynates.com]# tail /var/log/messages
>>> Nov  8 04:26:02 13gems syslogd 1.4.1: restart.
>>> [root at 13gems angrynates.com]# tail /var/log/httpd/error_log
>>> [Sun Nov 08 05:35:10 2009] [notice] Digest: generating secret for digest
>>> authentication ...
>>> [Sun Nov 08 05:35:10 2009] [notice] Digest: done
>>> [Sun Nov 08 05:35:10 2009] [notice] mod_python: Creating 4 session
>>> mutexes
>>> based on 10 max processes and 0 max threads.
>>> [Sun Nov 08 05:35:10 2009] [notice] Apache/2.2.3 (CentOS) configured --
>>> resuming normal operations
>>> [Sun Nov 08 07:29:40 2009] [error] [client 66.248.168.98] File does not
>>> exist: /var/www/html/angrynates.com/favicon.ico
>>> [Sun Nov 08 07:29:40 2009] [error] [client 66.248.168.98] (2)No such file
>>> or directory: exec of '/var/www/html/
>>> angrynates.com/global_solutions/index.py' failed, referer:
>>> http://209.216.9.56/global_solutions/
>>> [Sun Nov 08 07:29:40 2009] [error] [client 66.248.168.98] Premature end
>>> of
>>> script headers: index.py, referer: http://209.216.9.56/global_solutions/
>>> [Sun Nov 08 09:38:44 2009] [error] [client 66.248.168.98] File does not
>>> exist: /var/www/html/angrynates.com/favicon.ico
>>> [Sun Nov 08 09:38:44 2009] [error] [client 66.248.168.98] (2)No such file
>>> or directory: exec of '/var/www/html/
>>> angrynates.com/global_solutions/index.py' failed, referer:
>>> http://209.216.9.56/global_solutions/
>>> [Sun Nov 08 09:38:44 2009] [error] [client 66.248.168.98] Premature end
>>> of
>>> script headers: index.py, referer: http://209.216.9.56/global_solutions/
>>>
>>> TIA,
>>> V
>>>
>>> On Sun, Nov 8, 2009 at 12:28 PM, Rami Chowdhury <
>>> rami.chowdhury at gmail.com>wrote:
>>>
>>>  On Sunday 08 November 2009 05:44:31 Victor Subervi wrote:
>>>> > [root at 13gems angrynates.com]# chcon -u unconfined_u -r object_r -t
>>>> > httpd_sys_content_t global_solutions
>>>> > chcon: can't apply partial context to unlabeled file global_solutions
>>>> > Please advise.
>>>>
>>>> Try 'chcon -R -h unconfined_u:object_r:httpd_sys_content_t
>>>> global_solutions/*', which should specify the whole context at once and
>>>> avoid
>>>> that error, as well as apply it recursively to all files and
>>>> subdirectories.
>>>>
>>>> Also, to narrow down the error, can you let us have the output of:
>>>>       tail /var/log/messages
>>>>        tail /var/log/httpd/error_log
>>>>
>>>>
> OK, after all this I've forgotten what your .py file looked like -- can you
> post that please?
>
>
>
> --
> Rami Chowdhury
> "Never attribute to malice that which can be attributed to stupidity" --
> Hanlon's Razor
>
> 408-597-7068 (US) / 07875-841-046 (UK) / 0189-245544 (BD)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20091109/02a038ba/attachment-0001.html>

More information about the Python-list mailing list