创建新的 Expect 对象时,cgi-perl 文件中出现 Apache [PTY 错误]
我有一个 perl 脚本:
#!/usr/bin/perl -w
use DateTime;
use Expect;
use IO::Pty;
use CGI::Fast;
while($q = new CGI::Fast){
my $ip = $q->param('ip');
my $folder = $q->param('folder');
my $username = $q->param('username');
my $password = $q->param('password');
print "Content-type: text/html\r\n\r\n";
print "<head>\n<title>FastCGI</title>\n\</head>";
print "<h3> $ip - $folder - $username - $password </h3>";
my $ssh = new Expect;
if($ssh->spawn("ssh -q -l $username $ip")){
print "<h4>Connexion OK</h4>";
} else {
print "Error\n";
die "Connexion failed, $!";
}
}
该脚本的执行在我的 Apache 错误日志中创建了一些错误:
[error] [client x.x.x.x] pty_allocate(nonfatal): posix_openpt(): Permission denied at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] pty_allocate(nonfatal): getpt(): No such file or directory at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] pty_allocate(nonfatal): openpty(): No such file or directory at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] pty_allocate(nonfatal): open(/dev/ptmx): Permission denied at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] Cannot open a pty at /var/www/cgi-bin/cgi2.pl line 18, referer: http://y.y.y.y/login
我理解该错误,因为它说它无法打开 PTY(使用 new Expect 命令) 。
这真的是一个权限问题(以及如何解决这个问题)还是不可能在 cgi 文件中使用 Expect 命令?
感谢您的建议....
I have a perl script:
#!/usr/bin/perl -w
use DateTime;
use Expect;
use IO::Pty;
use CGI::Fast;
while($q = new CGI::Fast){
my $ip = $q->param('ip');
my $folder = $q->param('folder');
my $username = $q->param('username');
my $password = $q->param('password');
print "Content-type: text/html\r\n\r\n";
print "<head>\n<title>FastCGI</title>\n\</head>";
print "<h3> $ip - $folder - $username - $password </h3>";
my $ssh = new Expect;
if($ssh->spawn("ssh -q -l $username $ip")){
print "<h4>Connexion OK</h4>";
} else {
print "Error\n";
die "Connexion failed, $!";
}
}
The execution of this script create some errors in my Apache'Error-log:
[error] [client x.x.x.x] pty_allocate(nonfatal): posix_openpt(): Permission denied at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] pty_allocate(nonfatal): getpt(): No such file or directory at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] pty_allocate(nonfatal): openpty(): No such file or directory at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] pty_allocate(nonfatal): open(/dev/ptmx): Permission denied at /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi/IO/Pty.pm line 24., referer: http://y.y.y.y/login
[error] [client x.x.x.x] Cannot open a pty at /var/www/cgi-bin/cgi2.pl line 18, referer: http://y.y.y.y/login
I understand the error as it says it can't open a PTY (with the new Expect command).
Is it really a problem of permission (and how to fix that) or is it impossible to use the Expect command in a cgi file?
Thank for your advices....
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这是因为 httpd_sys_script_t 没有读取/写入 pty 的 selinux 权限,但以下 selinux 策略允许这样做:
您可以更改为
class chr_file rw_chr_file_perms;和allow httpd_sys_script_t ptmx_t:chr_file rw_chr_file_perms;,具体取决于您的 selinux 策略的最新版本。上面的宏适用于 rhel5,这一行的宏适用于 rhel6。或者,来自 #selinux on freenode 的建议:
基本上,apache 策略有一种方法来创建您自己的内容类型。在上面的代码片段中为您的脚本创建内容类型。然后使用新的 avc 拒绝并添加到上面的策略文件 myhttpd.te 中。这将阻止您允许所有 httpd 进程访问 pty,仅访问您指定的进程。之后您可能会执行以下操作:
添加到 myhttpd.te (或任何您想要调用的模块)的末尾,然后重新编译和加载(上面的 make 和 semodule)。
This is because httpd_sys_script_t doesn't have selinux permissions to read/write a pty, but the following selinux policy will allow it:
You might be able to change to
class chr_file rw_chr_file_perms;, andallow httpd_sys_script_t ptmx_t:chr_file rw_chr_file_perms;, depending on how recent your selinux policy is. The above will work with rhel5, the macro in this line will work with rhel6.Or, from advice from #selinux on freenode:
Basically, the apache policy has a way to create your own content type. Create the content type for your script in the above code fragment. Then use your new avc denials and add to the policy file myhttpd.te above. This will keep you from allowing all httpd processes from accessing pty's, just the one you specify. You would probably do the following afterwards:
added onto the end of myhttpd.te (or whatever you want to call the module), and recompile and load (make and semodule above).
我相信这是 SELinux 问题,请检查您的日志中是否有 selinux 错误并相应地调整您的策略。
I believe this is SELinux problem, check your log for selinux error and adjust your policy accordingly.
这将解决您的问题:
This will solve your problem: