Thread: problem connecting to postgres via apache
I'm having a problem connecting to postgres via a CGI program. I can connect just fine using the same connect string in a non-cgi perl program as in the perl cgi program. The error I get is this:
ERROR: Unable to connect to dbname testdb2, err: could not connect to server: Permission denied
ERROR: Unable to connect to dbname testdb2, err: could not connect to server: Permission denied
Is the server running on host "jacensolo.red.dsic.com" (192.168.10.16) and accepting
TCP/IP connections on port 5432?
I tried adding postgres to the apache user's groups, because I saw something on google that said that that is needed for the socket connection to work, but it didn't help.
I just tried stopping and restarting apache, and when I try to start I get this:
apachectl start
(13)Permission denied: make_sock: could not bind to address [::]:80
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
I took away the group permission for postgres, just in case that had messed up something, but it didn't help. Now I can't even start apache.
But, if I do:
[scassidy@jacensolo init.d]$ ps auxww|grep http
apache 15426 0.0 0.0 186416 2740 ? S Jan19 0:00 /usr/sbin/httpd -k start
apache 15427 0.0 0.0 186416 2720 ? S Jan19 0:00 /usr/sbin/httpd -k start
apache 15428 0.0 0.0 186416 3004 ? S Jan19 0:00 /usr/sbin/httpd -k start
apache 15429 0.0 0.0 186416 2740 ? S Jan19 0:00 /usr/sbin/httpd -k start
apache 15430 0.0 0.0 186416 2724 ? S Jan19 0:00 /usr/sbin/httpd -k start
apache 15431 0.0 0.0 186416 2740 ? S Jan19 0:00 /usr/sbin/httpd -k start
apache 15432 0.0 0.0 186416 2988 ? S Jan19 0:00 /usr/sbin/httpd -k start
apache 15433 0.0 0.0 186416 2988 ? S Jan19 0:00 /usr/sbin/httpd -k start
root 18778 0.0 0.0 184208 2408 ? Ss 2013 2:25 /usr/sbin/httpd -k start
I'm seeing processes that apparently shouldn't be there. Maybe that's why it can't connect, because it is already connected?
Should I just kill those processes, do you think?
What could have happened? It was working just fine before.
Very mysterious.
Susan
On 01/23/2014 02:55 PM, Susan Cassidy wrote: > I'm having a problem connecting to postgres via a CGI program. I can > connect just fine using the same connect string in a non-cgi perl > program as in the perl cgi program. The error I get is this: > > > ERROR: Unable to connect to dbname testdb2, err: could not > connect to server: Permission denied > Is the server running on host "jacensolo.red.dsic.com > <http://jacensolo.red.dsic.com>" (192.168.10.16) and accepting > TCP/IP connections on port 5432? FYI, in the future you might want to anonymize your host information. For example xxx.yyy.zzz.com Well from the above it looks like you where trying to connect using TCP/IP not a socket. What is your connection string? > > I tried adding postgres to the apache user's groups, because I saw > something on google that said that that is needed for the socket > connection to work, but it didn't help. > > I just tried stopping and restarting apache, and when I try to start I > get this: > > > apachectl start > (13)Permission denied: make_sock: could not bind to address [::]:80 > (13)Permission denied: make_sock: could not bind to address 0.0.0.0:80 > <http://0.0.0.0:80> > no listening sockets available, shutting down > Unable to open logs > > I took away the group permission for postgres, just in case that had > messed up something, but it didn't help. Now I can't even start apache. To me it looks like it is already running. > > > Susan > > -- Adrian Klaver adrian.klaver@gmail.com
On Fri, Jan 24, 2014 at 7:08 AM, Adrian Klaver <adrian.klaver@gmail.com> wrote:
On 01/23/2014 02:55 PM, Susan Cassidy wrote:I'm having a problem connecting to postgres via a CGI program. I can<http://jacensolo.red.dsic.com>" (192.168.10.16) and accepting
connect just fine using the same connect string in a non-cgi perl
program as in the perl cgi program. The error I get is this:
ERROR: Unable to connect to dbname testdb2, err: could not
connect to server: Permission denied
Is the server running on host "jacensolo.red.dsic.com
TCP/IP connections on port 5432?
FYI, in the future you might want to anonymize your host information. For example xxx.yyy.zzz.com
Well from the above it looks like you where trying to connect using TCP/IP not a socket.
What is your connection string?
In addition to what has been already asked, can you also check if your firewall is running?
Best Regards,
Sameer Kumar | Database Consultant
ASHNIK PTE. LTD.
101 Cecil Street, #11-11 Tong Eng Building, Singapore 069533
M : +65 8110 0350 T: +65 6438 3504 | www.ashnik.com
www.facebook.com/ashnikbiz | www.twitter.com/ashnikbiz
This email may contain confidential, privileged or copyright material and is solely for the use of the intended recipient(s).
Attachment
$dbh = DBI->connect("dbi:Pg:dbname=$dbname;host=${dbserver};port=$dbport;", $dbuser, $dbpasswd) or
errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");
The exact same connection string works fine in a standalone perl program.errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");
Susan
On Thu, Jan 23, 2014 at 3:08 PM, Adrian Klaver <adrian.klaver@gmail.com> wrote:
On 01/23/2014 02:55 PM, Susan Cassidy wrote:I'm having a problem connecting to postgres via a CGI program. I can
connect just fine using the same connect string in a non-cgi perl
program as in the perl cgi program. The error I get is this:
ERROR: Unable to connect to dbname testdb2, err: could not
connect to server: Permission denied
Is the server running on host "jacensolo.red.dsic.com
<http://jacensolo.red.dsic.com>" (192.168.10.16) and accepting
TCP/IP connections on port 5432?
FYI, in the future you might want to anonymize your host information. For example xxx.yyy.zzz.com
Well from the above it looks like you where trying to connect using TCP/IP not a socket.
What is your connection string?
I tried adding postgres to the apache user's groups, because I saw
something on google that said that that is needed for the socket
connection to work, but it didn't help.
I just tried stopping and restarting apache, and when I try to start I
get this:
apachectl start
(13)Permission denied: make_sock: could not bind to address [::]:80
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:80
<http://0.0.0.0:80>
no listening sockets available, shutting down
Unable to open logs
I took away the group permission for postgres, just in case that had
messed up something, but it didn't help. Now I can't even start apache.
To me it looks like it is already running.
Susan
--
Adrian Klaver
adrian.klaver@gmail.com
Susan Cassidy <susan.cassidy@decisionsciencescorp.com> writes:
> $dbh = DBI->connect("dbi:Pg:dbname=$dbname;host=${dbserver};port=$dbport;",
> $dbuser, $dbpasswd) or
> errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");
> The exact same connection string works fine in a standalone perl program.
Given the permissions errors you mentioned upthread, I'm wondering whether
you're running on Red Hat/CentOS, and if so whether SELinux is preventing
apache from connecting to unexpected port numbers. I seem to recall
that there's a SELinux boolean specifically intended to allow or disallow
database connections from webservers, but I couldn't tell you the name
offhand.
regards, tom lane
I've already checked that. It is enabled. I am running Scientific Linux.
On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Susan Cassidy <susan.cassidy@decisionsciencescorp.com> writes:
> $dbh = DBI->connect("dbi:Pg:dbname=$dbname;host=${dbserver};port=$dbport;",
> $dbuser, $dbpasswd) or
> errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");
> The exact same connection string works fine in a standalone perl program.
Given the permissions errors you mentioned upthread, I'm wondering whether
you're running on Red Hat/CentOS, and if so whether SELinux is preventing
apache from connecting to unexpected port numbers. I seem to recall
that there's a SELinux boolean specifically intended to allow or disallow
database connections from webservers, but I couldn't tell you the name
offhand.
regards, tom lane
On 01/24/2014 09:35 AM, Susan Cassidy wrote:
> I've already checked that. It is enabled. I am running Scientific Linux.
SELinux is enabled?
The database connection value is enabled to allow or disallow webserver
connections?
>
>
> On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane <tgl@sss.pgh.pa.us
> <mailto:tgl@sss.pgh.pa.us>> wrote:
>
> Susan Cassidy <susan.cassidy@decisionsciencescorp.com
> <mailto:susan.cassidy@decisionsciencescorp.com>> writes:
> > $dbh =
> DBI->connect("dbi:Pg:dbname=$dbname;host=${dbserver};port=$dbport;",
> > $dbuser, $dbpasswd) or
> > errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");
>
> > The exact same connection string works fine in a standalone perl
> program.
>
> Given the permissions errors you mentioned upthread, I'm wondering
> whether
> you're running on Red Hat/CentOS, and if so whether SELinux is
> preventing
> apache from connecting to unexpected port numbers. I seem to recall
> that there's a SELinux boolean specifically intended to allow or
> disallow
> database connections from webservers, but I couldn't tell you the name
> offhand.
>
> regards, tom lane
>
>
--
Adrian Klaver
adrian.klaver@gmail.com
Are you calling the perl from apache (assuming yes)..? Does the web
user have the rights to execute the perl code?
Try disabling SELinux..
You'll get it..
On Fri, 2014-01-24 at 09:35 -0800, Susan Cassidy wrote:
> I've already checked that. It is enabled. I am running Scientific
> Linux.
>
>
>
> On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Susan Cassidy <susan.cassidy@decisionsciencescorp.com> writes:
> > $dbh = DBI->connect("dbi:Pg:dbname=$dbname;host=
> ${dbserver};port=$dbport;",
> > $dbuser, $dbpasswd) or
> > errexit( "Unable to connect to dbname $dbname, err:
> $DBI::errstr");
>
> > The exact same connection string works fine in a standalone
> perl program.
>
> Given the permissions errors you mentioned upthread, I'm
> wondering whether
> you're running on Red Hat/CentOS, and if so whether SELinux is
> preventing
> apache from connecting to unexpected port numbers. I seem to
> recall
> that there's a SELinux boolean specifically intended to allow
> or disallow
> database connections from webservers, but I couldn't tell you
> the name
> offhand.
>
> regards, tom lane
>
>
[scassidy@jacensolo ~]$ /usr/sbin/sestatus | grep SELinux
SELinux status: enabled
SELinuxfs mount: /selinux
I have yet to find what to do to enable webserver connections.SELinux status: enabled
SELinuxfs mount: /selinux
Susan
On Fri, Jan 24, 2014 at 9:38 AM, Adrian Klaver <adrian.klaver@gmail.com> wrote:
On 01/24/2014 09:35 AM, Susan Cassidy wrote:I've already checked that. It is enabled. I am running Scientific Linux.
SELinux is enabled?
The database connection value is enabled to allow or disallow webserver connections?
On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane <tgl@sss.pgh.pa.us
<mailto:tgl@sss.pgh.pa.us>> wrote:
Susan Cassidy <susan.cassidy@decisionsciencescorp.com
<mailto:susan.cassidy@decisionsciencescorp.com>> writes:
> $dbh =
DBI->connect("dbi:Pg:dbname=$dbname;host=${dbserver};port=$dbport;",
> $dbuser, $dbpasswd) or
> errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");
> The exact same connection string works fine in a standalone perl
program.
Given the permissions errors you mentioned upthread, I'm wondering
whether
you're running on Red Hat/CentOS, and if so whether SELinux is
preventing
apache from connecting to unexpected port numbers. I seem to recall
that there's a SELinux boolean specifically intended to allow or
disallow
database connections from webservers, but I couldn't tell you the name
offhand.
regards, tom lane
--
Adrian Klaver
adrian.klaver@gmail.com
I don't actually know what SELinux is. What else will happen if I (find out how to) disable it?
SusanOn Fri, Jan 24, 2014 at 9:47 AM, Bret Stern <bret_stern@machinemanagement.com> wrote:
Are you calling the perl from apache (assuming yes)..? Does the web
user have the rights to execute the perl code?
Try disabling SELinux..
You'll get it..
On Fri, 2014-01-24 at 09:35 -0800, Susan Cassidy wrote:
> I've already checked that. It is enabled. I am running Scientific
> Linux.
>
>
>
> On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Susan Cassidy <susan.cassidy@decisionsciencescorp.com> writes:
> > $dbh = DBI->connect("dbi:Pg:dbname=$dbname;host=
> ${dbserver};port=$dbport;",
> > $dbuser, $dbpasswd) or
> > errexit( "Unable to connect to dbname $dbname, err:
> $DBI::errstr");
>
> > The exact same connection string works fine in a standalone
> perl program.
>
> Given the permissions errors you mentioned upthread, I'm
> wondering whether
> you're running on Red Hat/CentOS, and if so whether SELinux is
> preventing
> apache from connecting to unexpected port numbers. I seem to
> recall
> that there's a SELinux boolean specifically intended to allow
> or disallow
> database connections from webservers, but I couldn't tell you
> the name
> offhand.
>
> regards, tom lane
>
>
Susan Cassidy wrote: > [scassidy@jacensolo ~]$ /usr/sbin/sestatus | grep SELinux > SELinux status: enabled > SELinuxfs mount: /selinux > > I have yet to find what to do to enable webserver connections. setsebool -P httpd_can_network_connect_db 1 Best regards, -- Daniel PostgreSQL-powered mail user agent and storage: http://www.manitou-mail.org
I tried:
setsebool -P httpd_can_network_connect 1
But I get:
Cannot set persistent booleans without managed policy.
Could not change policy booleans
I don't know what that means.setsebool -P httpd_can_network_connect 1
But I get:
Cannot set persistent booleans without managed policy.
Could not change policy booleans
Susan
On Fri, Jan 24, 2014 at 9:38 AM, Adrian Klaver <adrian.klaver@gmail.com> wrote:
On 01/24/2014 09:35 AM, Susan Cassidy wrote:I've already checked that. It is enabled. I am running Scientific Linux.
SELinux is enabled?
The database connection value is enabled to allow or disallow webserver connections?
On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane <tgl@sss.pgh.pa.us
<mailto:tgl@sss.pgh.pa.us>> wrote:
Susan Cassidy <susan.cassidy@decisionsciencescorp.com
<mailto:susan.cassidy@decisionsciencescorp.com>> writes:
> $dbh =
DBI->connect("dbi:Pg:dbname=$dbname;host=${dbserver};port=$dbport;",
> $dbuser, $dbpasswd) or
> errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");
> The exact same connection string works fine in a standalone perl
program.
Given the permissions errors you mentioned upthread, I'm wondering
whether
you're running on Red Hat/CentOS, and if so whether SELinux is
preventing
apache from connecting to unexpected port numbers. I seem to recall
that there's a SELinux boolean specifically intended to allow or
disallow
database connections from webservers, but I couldn't tell you the name
offhand.
regards, tom lane
--
Adrian Klaver
adrian.klaver@gmail.com
Susan Cassidy wrote: > Cannot set persistent booleans without managed policy. > Could not change policy booleans > > I don't know what that means. It probably means you're not root when issuing that command. Become root or use sudo. Best regards, -- Daniel PostgreSQL-powered mail user agent and storage: http://www.manitou-mail.org
On 1/24/2014 11:55 AM, Susan Cassidy wrote: > I don't actually know what SELinux is. What else will happen if I > (find out how to) disable it? your system will be less secure. -- john r pierce 37N 122W somewhere on the middle of the left coast
SELINUX is a bunch of settings to control security.
If you are able to find it, I was suggesting you disable it
only to see if the Apache problem goes away.
Then to turn it back on.
If it stops working, then there is a setting which is preventing
Apache from being accessed. Locating the specific setting
would be the next step.
On Fri, 2014-01-24 at 11:55 -0800, Susan Cassidy wrote:
> I don't actually know what SELinux is. What else will happen if I
> (find out how to) disable it?
>
>
> Susan
>
>
>
> On Fri, Jan 24, 2014 at 9:47 AM, Bret Stern
> <bret_stern@machinemanagement.com> wrote:
> Are you calling the perl from apache (assuming yes)..? Does
> the web
> user have the rights to execute the perl code?
>
> Try disabling SELinux..
> You'll get it..
>
> On Fri, 2014-01-24 at 09:35 -0800, Susan Cassidy wrote:
> > I've already checked that. It is enabled. I am running
> Scientific
> > Linux.
> >
> >
> >
> > On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane
> <tgl@sss.pgh.pa.us> wrote:
> > Susan Cassidy
> <susan.cassidy@decisionsciencescorp.com> writes:
> > > $dbh = DBI->connect("dbi:Pg:dbname=$dbname;host=
> > ${dbserver};port=$dbport;",
> > > $dbuser, $dbpasswd) or
> > > errexit( "Unable to connect to dbname $dbname,
> err:
> > $DBI::errstr");
> >
> > > The exact same connection string works fine in a
> standalone
> > perl program.
> >
> > Given the permissions errors you mentioned upthread,
> I'm
> > wondering whether
> > you're running on Red Hat/CentOS, and if so whether
> SELinux is
> > preventing
> > apache from connecting to unexpected port numbers.
> I seem to
> > recall
> > that there's a SELinux boolean specifically intended
> to allow
> > or disallow
> > database connections from webservers, but I couldn't
> tell you
> > the name
> > offhand.
> >
> > regards, tom lane
> >
> >
>
>
>
>
On 1/24/2014 12:19 PM, Bret Stern wrote: > SELINUX is a bunch of settings to control security. > > If you are able to find it, I was suggesting you disable it > only to see if the Apache problem goes away. do NOT disable it. set the selinux policy to 'permissive'. this causes it to log exceptions but allow them -- john r pierce 37N 122W somewhere on the middle of the left coast