Thread: problem connecting to postgres via apache

problem connecting to postgres via apache

From
Susan Cassidy
Date:
I'm having a problem connecting to postgres via a CGI program.  I can connect just fine using the same connect string in a non-cgi perl program as in the perl cgi program.  The error I get is this:

ERROR: Unable to connect to dbname testdb2, err: could not connect to server: Permission denied
Is the server running on host "jacensolo.red.dsic.com" (192.168.10.16) and accepting
TCP/IP connections on port 5432?

I tried adding postgres to the apache user's groups, because I saw something on google that said that that is needed for the socket connection to work, but it didn't help.

I just tried stopping and restarting apache, and when I try to start I get this:


apachectl start
(13)Permission denied: make_sock: could not bind to address [::]:80
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs

I took away the group permission for postgres, just in case that had messed up something, but it didn't help.  Now I can't even start apache.

But, if I do:

[scassidy@jacensolo init.d]$ ps auxww|grep http
apache   15426  0.0  0.0 186416  2740 ?        S    Jan19   0:00 /usr/sbin/httpd -k start
apache   15427  0.0  0.0 186416  2720 ?        S    Jan19   0:00 /usr/sbin/httpd -k start
apache   15428  0.0  0.0 186416  3004 ?        S    Jan19   0:00 /usr/sbin/httpd -k start
apache   15429  0.0  0.0 186416  2740 ?        S    Jan19   0:00 /usr/sbin/httpd -k start
apache   15430  0.0  0.0 186416  2724 ?        S    Jan19   0:00 /usr/sbin/httpd -k start
apache   15431  0.0  0.0 186416  2740 ?        S    Jan19   0:00 /usr/sbin/httpd -k start
apache   15432  0.0  0.0 186416  2988 ?        S    Jan19   0:00 /usr/sbin/httpd -k start
apache   15433  0.0  0.0 186416  2988 ?        S    Jan19   0:00 /usr/sbin/httpd -k start
root     18778  0.0  0.0 184208  2408 ?        Ss    2013   2:25 /usr/sbin/httpd -k start

I'm seeing processes that apparently shouldn't be there.  Maybe that's why it can't connect, because it is already connected?


Should I just kill those processes, do you think?

What could have happened?  It was working just fine before.

Very mysterious.


Susan


Re: problem connecting to postgres via apache

From
Adrian Klaver
Date:
On 01/23/2014 02:55 PM, Susan Cassidy wrote:
> I'm having a problem connecting to postgres via a CGI program.  I can
> connect just fine using the same connect string in a non-cgi perl
> program as in the perl cgi program.  The error I get is this:
>
>
>         ERROR: Unable to connect to dbname testdb2, err: could not
>         connect to server: Permission denied
>         Is the server running on host "jacensolo.red.dsic.com
>         <http://jacensolo.red.dsic.com>" (192.168.10.16) and accepting
>         TCP/IP connections on port 5432?

FYI, in the future you might want to anonymize your host information.
For example   xxx.yyy.zzz.com

Well from the above it looks like you where trying to connect using
TCP/IP not a socket.

What is your connection string?

>
> I tried adding postgres to the apache user's groups, because I saw
> something on google that said that that is needed for the socket
> connection to work, but it didn't help.
>
> I just tried stopping and restarting apache, and when I try to start I
> get this:
>
>
> apachectl start
> (13)Permission denied: make_sock: could not bind to address [::]:80
> (13)Permission denied: make_sock: could not bind to address 0.0.0.0:80
> <http://0.0.0.0:80>
> no listening sockets available, shutting down
> Unable to open logs
>
> I took away the group permission for postgres, just in case that had
> messed up something, but it didn't help.  Now I can't even start apache.

To me it looks like it is already running.

>
>
> Susan
>
>


--
Adrian Klaver
adrian.klaver@gmail.com


Re: problem connecting to postgres via apache

From
Sameer Kumar
Date:

On Fri, Jan 24, 2014 at 7:08 AM, Adrian Klaver <adrian.klaver@gmail.com> wrote:
On 01/23/2014 02:55 PM, Susan Cassidy wrote:
I'm having a problem connecting to postgres via a CGI program.  I can
connect just fine using the same connect string in a non-cgi perl
program as in the perl cgi program.  The error I get is this:


        ERROR: Unable to connect to dbname testdb2, err: could not
        connect to server: Permission denied
        Is the server running on host "jacensolo.red.dsic.com
        <http://jacensolo.red.dsic.com>" (192.168.10.16) and accepting

        TCP/IP connections on port 5432?

FYI, in the future you might want to anonymize your host information. For example   xxx.yyy.zzz.com

Well from the above it looks like you where trying to connect using TCP/IP not a socket.

What is your connection string?

In addition to what has been already asked, can you also check if your firewall is running?


Best Regards,
Sameer Kumar | Database Consultant
ASHNIK PTE. LTD.
101 Cecil Street, #11-11 Tong Eng Building, Singapore 069533
M : +65 8110 0350 T: +65 6438 3504 | www.ashnik.com
www.facebook.com/ashnikbiz | www.twitter.com/ashnikbiz

email patch

This email may contain confidential, privileged or copyright material and is solely for the use of the intended recipient(s).

Attachment

Re: problem connecting to postgres via apache

From
Susan Cassidy
Date:
$dbh = DBI->connect("dbi:Pg:dbname=$dbname;host=${dbserver};port=$dbport;", $dbuser, $dbpasswd) or
 errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");

The exact same connection string works fine in a standalone perl program.

Susan



On Thu, Jan 23, 2014 at 3:08 PM, Adrian Klaver <adrian.klaver@gmail.com> wrote:
On 01/23/2014 02:55 PM, Susan Cassidy wrote:
I'm having a problem connecting to postgres via a CGI program.  I can
connect just fine using the same connect string in a non-cgi perl
program as in the perl cgi program.  The error I get is this:


        ERROR: Unable to connect to dbname testdb2, err: could not
        connect to server: Permission denied
        Is the server running on host "jacensolo.red.dsic.com
        <http://jacensolo.red.dsic.com>" (192.168.10.16) and accepting
        TCP/IP connections on port 5432?

FYI, in the future you might want to anonymize your host information. For example   xxx.yyy.zzz.com

Well from the above it looks like you where trying to connect using TCP/IP not a socket.

What is your connection string?


I tried adding postgres to the apache user's groups, because I saw
something on google that said that that is needed for the socket
connection to work, but it didn't help.

I just tried stopping and restarting apache, and when I try to start I
get this:


apachectl start
(13)Permission denied: make_sock: could not bind to address [::]:80
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:80
<http://0.0.0.0:80>
no listening sockets available, shutting down
Unable to open logs

I took away the group permission for postgres, just in case that had
messed up something, but it didn't help.  Now I can't even start apache.

To me it looks like it is already running.



Susan




--
Adrian Klaver
adrian.klaver@gmail.com

Re: problem connecting to postgres via apache

From
Tom Lane
Date:
Susan Cassidy <susan.cassidy@decisionsciencescorp.com> writes:
> $dbh = DBI->connect("dbi:Pg:dbname=$dbname;host=${dbserver};port=$dbport;",
> $dbuser, $dbpasswd) or
>  errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");

> The exact same connection string works fine in a standalone perl program.

Given the permissions errors you mentioned upthread, I'm wondering whether
you're running on Red Hat/CentOS, and if so whether SELinux is preventing
apache from connecting to unexpected port numbers.  I seem to recall
that there's a SELinux boolean specifically intended to allow or disallow
database connections from webservers, but I couldn't tell you the name
offhand.

            regards, tom lane


Re: problem connecting to postgres via apache

From
Susan Cassidy
Date:
I've already checked that.  It is enabled.  I am running Scientific Linux.


On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Susan Cassidy <susan.cassidy@decisionsciencescorp.com> writes:
> $dbh = DBI->connect("dbi:Pg:dbname=$dbname;host=${dbserver};port=$dbport;",
> $dbuser, $dbpasswd) or
>  errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");

> The exact same connection string works fine in a standalone perl program.

Given the permissions errors you mentioned upthread, I'm wondering whether
you're running on Red Hat/CentOS, and if so whether SELinux is preventing
apache from connecting to unexpected port numbers.  I seem to recall
that there's a SELinux boolean specifically intended to allow or disallow
database connections from webservers, but I couldn't tell you the name
offhand.

                        regards, tom lane

Re: problem connecting to postgres via apache

From
Adrian Klaver
Date:
On 01/24/2014 09:35 AM, Susan Cassidy wrote:
> I've already checked that.  It is enabled.  I am running Scientific Linux.

SELinux is enabled?
The database connection value is enabled to allow or disallow webserver
connections?

>
>
> On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane <tgl@sss.pgh.pa.us
> <mailto:tgl@sss.pgh.pa.us>> wrote:
>
>     Susan Cassidy <susan.cassidy@decisionsciencescorp.com
>     <mailto:susan.cassidy@decisionsciencescorp.com>> writes:
>      > $dbh =
>     DBI->connect("dbi:Pg:dbname=$dbname;host=${dbserver};port=$dbport;",
>      > $dbuser, $dbpasswd) or
>      >  errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");
>
>      > The exact same connection string works fine in a standalone perl
>     program.
>
>     Given the permissions errors you mentioned upthread, I'm wondering
>     whether
>     you're running on Red Hat/CentOS, and if so whether SELinux is
>     preventing
>     apache from connecting to unexpected port numbers.  I seem to recall
>     that there's a SELinux boolean specifically intended to allow or
>     disallow
>     database connections from webservers, but I couldn't tell you the name
>     offhand.
>
>                              regards, tom lane
>
>


--
Adrian Klaver
adrian.klaver@gmail.com


Re: problem connecting to postgres via apache

From
Bret Stern
Date:
Are you calling the perl from apache (assuming yes)..? Does the web
user have the rights to execute the perl code?

Try disabling SELinux..
You'll get it..

On Fri, 2014-01-24 at 09:35 -0800, Susan Cassidy wrote:
> I've already checked that.  It is enabled.  I am running Scientific
> Linux.
>
>
>
> On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>         Susan Cassidy <susan.cassidy@decisionsciencescorp.com> writes:
>         > $dbh = DBI->connect("dbi:Pg:dbname=$dbname;host=
>         ${dbserver};port=$dbport;",
>         > $dbuser, $dbpasswd) or
>         >  errexit( "Unable to connect to dbname $dbname, err:
>         $DBI::errstr");
>
>         > The exact same connection string works fine in a standalone
>         perl program.
>
>         Given the permissions errors you mentioned upthread, I'm
>         wondering whether
>         you're running on Red Hat/CentOS, and if so whether SELinux is
>         preventing
>         apache from connecting to unexpected port numbers.  I seem to
>         recall
>         that there's a SELinux boolean specifically intended to allow
>         or disallow
>         database connections from webservers, but I couldn't tell you
>         the name
>         offhand.
>
>                                 regards, tom lane
>
>




Re: problem connecting to postgres via apache

From
Susan Cassidy
Date:
[scassidy@jacensolo ~]$ /usr/sbin/sestatus | grep SELinux
SELinux status:                 enabled
SELinuxfs mount:                /selinux

I have yet to find what to do to enable webserver connections.

Susan


On Fri, Jan 24, 2014 at 9:38 AM, Adrian Klaver <adrian.klaver@gmail.com> wrote:
On 01/24/2014 09:35 AM, Susan Cassidy wrote:
I've already checked that.  It is enabled.  I am running Scientific Linux.

SELinux is enabled?
The database connection value is enabled to allow or disallow webserver connections?



On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane <tgl@sss.pgh.pa.us
<mailto:tgl@sss.pgh.pa.us>> wrote:

    Susan Cassidy <susan.cassidy@decisionsciencescorp.com
    <mailto:susan.cassidy@decisionsciencescorp.com>> writes:
     > $dbh =
    DBI->connect("dbi:Pg:dbname=$dbname;host=${dbserver};port=$dbport;",
     > $dbuser, $dbpasswd) or
     >  errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");

     > The exact same connection string works fine in a standalone perl
    program.

    Given the permissions errors you mentioned upthread, I'm wondering
    whether
    you're running on Red Hat/CentOS, and if so whether SELinux is
    preventing
    apache from connecting to unexpected port numbers.  I seem to recall
    that there's a SELinux boolean specifically intended to allow or
    disallow
    database connections from webservers, but I couldn't tell you the name
    offhand.

                             regards, tom lane




--
Adrian Klaver
adrian.klaver@gmail.com

Re: problem connecting to postgres via apache

From
Susan Cassidy
Date:
I don't actually know what SELinux is.  What else will happen if I (find out how to) disable it?

Susan


On Fri, Jan 24, 2014 at 9:47 AM, Bret Stern <bret_stern@machinemanagement.com> wrote:
Are you calling the perl from apache (assuming yes)..? Does the web
user have the rights to execute the perl code?

Try disabling SELinux..
You'll get it..

On Fri, 2014-01-24 at 09:35 -0800, Susan Cassidy wrote:
> I've already checked that.  It is enabled.  I am running Scientific
> Linux.
>
>
>
> On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>         Susan Cassidy <susan.cassidy@decisionsciencescorp.com> writes:
>         > $dbh = DBI->connect("dbi:Pg:dbname=$dbname;host=
>         ${dbserver};port=$dbport;",
>         > $dbuser, $dbpasswd) or
>         >  errexit( "Unable to connect to dbname $dbname, err:
>         $DBI::errstr");
>
>         > The exact same connection string works fine in a standalone
>         perl program.
>
>         Given the permissions errors you mentioned upthread, I'm
>         wondering whether
>         you're running on Red Hat/CentOS, and if so whether SELinux is
>         preventing
>         apache from connecting to unexpected port numbers.  I seem to
>         recall
>         that there's a SELinux boolean specifically intended to allow
>         or disallow
>         database connections from webservers, but I couldn't tell you
>         the name
>         offhand.
>
>                                 regards, tom lane
>
>



Re: problem connecting to postgres via apache

From
"Daniel Verite"
Date:
    Susan Cassidy wrote:

> [scassidy@jacensolo ~]$ /usr/sbin/sestatus | grep SELinux
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
>
> I have yet to find what to do to enable webserver connections.

setsebool -P httpd_can_network_connect_db 1


Best regards,
--
Daniel
PostgreSQL-powered mail user agent and storage: http://www.manitou-mail.org


Re: problem connecting to postgres via apache

From
Susan Cassidy
Date:
I tried:
setsebool -P httpd_can_network_connect 1

But I get:

Cannot set persistent booleans without managed policy.
Could not change policy booleans

I don't know what that means.

Susan



On Fri, Jan 24, 2014 at 9:38 AM, Adrian Klaver <adrian.klaver@gmail.com> wrote:
On 01/24/2014 09:35 AM, Susan Cassidy wrote:
I've already checked that.  It is enabled.  I am running Scientific Linux.

SELinux is enabled?
The database connection value is enabled to allow or disallow webserver connections?



On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane <tgl@sss.pgh.pa.us
<mailto:tgl@sss.pgh.pa.us>> wrote:

    Susan Cassidy <susan.cassidy@decisionsciencescorp.com
    <mailto:susan.cassidy@decisionsciencescorp.com>> writes:
     > $dbh =
    DBI->connect("dbi:Pg:dbname=$dbname;host=${dbserver};port=$dbport;",
     > $dbuser, $dbpasswd) or
     >  errexit( "Unable to connect to dbname $dbname, err: $DBI::errstr");

     > The exact same connection string works fine in a standalone perl
    program.

    Given the permissions errors you mentioned upthread, I'm wondering
    whether
    you're running on Red Hat/CentOS, and if so whether SELinux is
    preventing
    apache from connecting to unexpected port numbers.  I seem to recall
    that there's a SELinux boolean specifically intended to allow or
    disallow
    database connections from webservers, but I couldn't tell you the name
    offhand.

                             regards, tom lane




--
Adrian Klaver
adrian.klaver@gmail.com

Re: problem connecting to postgres via apache

From
"Daniel Verite"
Date:
    Susan Cassidy wrote:

> Cannot set persistent booleans without managed policy.
> Could not change policy booleans
>
> I don't know what that means.

It probably means you're not root when issuing that command.
Become root or use sudo.

Best regards,
--
Daniel
PostgreSQL-powered mail user agent and storage: http://www.manitou-mail.org


Re: problem connecting to postgres via apache

From
John R Pierce
Date:
On 1/24/2014 11:55 AM, Susan Cassidy wrote:
> I don't actually know what SELinux is.  What else will happen if I
> (find out how to) disable it?

your system will be less secure.



--
john r pierce                                      37N 122W
somewhere on the middle of the left coast



Re: problem connecting to postgres via apache

From
Bret Stern
Date:
SELINUX is a bunch of settings to control security.

If you are able to find it, I was suggesting you disable it
only to see if the Apache problem goes away.

Then to turn it back on.

If it stops working, then there is a setting which is preventing
Apache from being accessed. Locating the specific setting
would be the next step.





On Fri, 2014-01-24 at 11:55 -0800, Susan Cassidy wrote:
> I don't actually know what SELinux is.  What else will happen if I
> (find out how to) disable it?
>
>
> Susan
>
>
>
> On Fri, Jan 24, 2014 at 9:47 AM, Bret Stern
> <bret_stern@machinemanagement.com> wrote:
>         Are you calling the perl from apache (assuming yes)..? Does
>         the web
>         user have the rights to execute the perl code?
>
>         Try disabling SELinux..
>         You'll get it..
>
>         On Fri, 2014-01-24 at 09:35 -0800, Susan Cassidy wrote:
>         > I've already checked that.  It is enabled.  I am running
>         Scientific
>         > Linux.
>         >
>         >
>         >
>         > On Fri, Jan 24, 2014 at 8:28 AM, Tom Lane
>         <tgl@sss.pgh.pa.us> wrote:
>         >         Susan Cassidy
>         <susan.cassidy@decisionsciencescorp.com> writes:
>         >         > $dbh = DBI->connect("dbi:Pg:dbname=$dbname;host=
>         >         ${dbserver};port=$dbport;",
>         >         > $dbuser, $dbpasswd) or
>         >         >  errexit( "Unable to connect to dbname $dbname,
>         err:
>         >         $DBI::errstr");
>         >
>         >         > The exact same connection string works fine in a
>         standalone
>         >         perl program.
>         >
>         >         Given the permissions errors you mentioned upthread,
>         I'm
>         >         wondering whether
>         >         you're running on Red Hat/CentOS, and if so whether
>         SELinux is
>         >         preventing
>         >         apache from connecting to unexpected port numbers.
>          I seem to
>         >         recall
>         >         that there's a SELinux boolean specifically intended
>         to allow
>         >         or disallow
>         >         database connections from webservers, but I couldn't
>         tell you
>         >         the name
>         >         offhand.
>         >
>         >                                 regards, tom lane
>         >
>         >
>
>
>
>




Re: problem connecting to postgres via apache

From
John R Pierce
Date:
On 1/24/2014 12:19 PM, Bret Stern wrote:
> SELINUX is a bunch of settings to control security.
>
> If you are able to find it, I was suggesting you disable it
> only to see if the Apache problem goes away.

do NOT disable it.  set the selinux policy to 'permissive'.    this
causes it to log exceptions but allow them


--
john r pierce                                      37N 122W
somewhere on the middle of the left coast