mysql_connect won't when run from web server - SOLVED - SELINUX
Lisa Kachold
lisakachold at obnosis.com
Mon May 25 15:51:57 MST 2009
Looks like a SELINUX issue:
setsebool -P httpd_can_network_connect_db=1
setsebool -P httpd_can_network_connect=1
should have fixed it.
On 5/25/09, koder <hmichels01 at earthlink.net> wrote:
> Have you ruled out difficulties with file locations, permissions and
> such ilk?
>
> Do we know what environment these files are being run under?
>
> For a file to be run from a browser under Ubuntu you need permissions
> set to user www-data UID:GID 33:33, and located in a directory that
> localhost can find according to your directory setting in the apache
> config files. Red Hat wants user apache, UID:GID, 48:48.
>
> The browser will use the browser root as defined in the apache config
> file. I think you can force it to run in a user directory, but I am
> pretty sure that is not how to get it there.
>
> (Can script activation be accomplished just by pointing a browser at it?
> If so would that be a security issue?)
>
> The other matter would be how the browser is modifying the UserID and
> Password string it is passing to MySQL.
>
> Harold
>
>
> On Mon, 2009-05-25 at 08:15 -0700, Lisa Kachold wrote:
>> Just humor us and rename the hostname to something other than mysql?
>> Try an IP address?
>>
>> On Mon, May 25, 2009 at 12:03 AM, Steven A. DuChene
>> <linux-clusters at mindspring.com> wrote:
>> As I said, on the Apache server I can run the php script just
>> fine and
>> it connects to the remote mysql server just fine. Both servers
>> are here
>> on my local internal network and there is no firewall between
>> them.
>>
>> So to be clear on the Apache system I can run the php mysql
>> connect script
>> just fine like so:
>>
>> Apache$ php ./mysql_php_dbconnectscript.php
>>
>> and it works fine. I really believe this eliminates any port
>> or firewall
>> or ping or FQDN or localhost issues between the two boxes.
>>
>> -----Original Message-----
>> >From: Mike Butash <mike at butash.net>
>> >Sent: May 24, 2009 10:03 PM
>> >To: Main PLUG discussion list
>> <plug-discuss at lists.plug.phoenix.az.us>
>> >Cc: "Steven A. DuChene" <linux-clusters at mindspring.com>
>> >Subject: Re: mysql_connect won't when run from web server
>> >
>> >Is your hostname "mysql" valid, just "ping mysql" and see if
>> you get a
>> >response. Try to connect to "localhost" as well and see if
>> it works.
>> >Most default installs will listen only on 127.0.0.1, not the
>> live IP
>> >most distro's bind to the hostname from the network, like
>> 10.x.x.x.
>> >Assure the hostname is valid in your connect string.
>> >
>> >Check that the sql daemon is listening on the right
>> port/address. Try
>> >'netstat -a | egrep "mysql|3306"' without the single quote,
>> see if the
>> >daemon is listening, and on what address - should look like
>> this:
>> >
>> >mb at thrawn:/media/ext0/opt$ netstat -a | grep mysql
>> >tcp 0 0 *:mysql *:* LISTEN
>> >
>> >.. if not, rather like this:
>> >
>> >mb at thrawn:/media/ext0/opt$ netstat -a | grep ssh
>> >tcp 0 0 127.0.0.1:ssh *:*
>> LISTEN
>> >
>> >.. then you might need to tweak the my.cnf to remove the bind
>> addr from
>> >binding only to localhost. Comment it out as such, and it
>> should show
>> >as listening on all ports:
>> >
>> >#bind-address = 127.0.0.1
>> >
>> >If you can telnet to port 3306 from both localhost or the
>> real IP
>> >(telnet localhost 3306), check sql logs for auth errors. I'm
>> most pgsql
>> >than my, but I think this is the tree you'll want to bark up,
>> namely the
>> >binding and socket access.
>> >
>> >Caveat Emptor - This opens general network access to that sql
>> port short
>> >of a firewall, so make sure you secure it adequately. Best
>> bet is to
>> >set your php connection string to connect to localhost, and
>> keep the sql
>> >daemon only bound to localhost. So long as you're not
>> needing any
>> >remote connections, that is.
>> >
>> >-mb
>>
>> >
>> >
>> >On Sun, 2009-05-24 at 20:36 -0700, Lisa Kachold wrote:
>> >> Hi Steven,
>> >>
>> >> On Sun, May 24, 2009 at 3:53 PM, Steven A. DuChene
>> >> <linux-clusters at mindspring.com> wrote:
>> >> Hello all:
>> >> I have a php to mysql database connection script
>> that I am
>> >> having a problem with.
>> >> I have two systems. One is running apache and also
>> happens to
>> >> be my desktop system.
>> >> Call this one system Apache. The other system is
>> running mysql
>> >> and let's call this
>> >> one Mysql.
>> >>
>> >> the connection script is very simple:
>> >>
>> >> <?php
>> >> $dbhost = "Mysql";
>> >> $dbuser = "someuser";
>> >> $dbpass = "NOTREAL";
>> >>
>> >> $conn = mysql_connect($dbhost, $dbuser, $dbpass)
>> or
>> >> die("Error connecting to mysql");
>> >>
>> >> if ($conn) {
>> >> echo "CONNECT OK";
>> >> }
>> >>
>> >> $dbname = "tmp";
>> >> mysql_select_db($dbname);
>> >> ?>
>> >>
>> >>
>> >> If I run this script from the command line on the
>> Apache
>> >> system like so:
>> >>
>> >> $ php testmysqlconnect_script.php
>> >>
>> >> and it works fine. However if I run the script from
>> the web
>> >> browser open on the
>> >> Apache desktop and point it at
>> >>
>> http://localhost/~meuser/testmysqlconnect_script.php
>> >> I get a connection error. Just to confirm I have
>> also used the
>> >> following mysql
>> >> command from the command line on the Apache system
>> and it
>> >> works fine as well:
>> >>
>> >> mysql --host=Mysql -u someuser -p tmp
>> >>
>> >> and entered the exact same user name as is in my
>> script and I
>> >> am able to connect
>> >> just fine. I have tried looking at the output from
>> php_info()
>> >> on the Apache web
>> >> server and it looks normal but I could be missing
>> something.
>> >>
>> >> Anyone have any ideas of what I might be over
>> looking???
>> >>
>> >> 1) What is apache saying about this? Tail the logs?
>> >> 1.5) Change to FQDN like mysql.mylocalnetwork rather than
>> IP or CNAME
>> >> and retest script.
>> >> 2) Verify you have php extensions enabled (can you run
>> other .php
>> >> files in apache)?
>> >> 3) What does tcpdump on each server say? Do you see the
>> connection go
>> >> out? Do you have a sniffer that you can invoke and filter
>> >> specifically between these two servers? Wireshark?
>> >> 4) Selectively take down firewalling between each server
>> and test to
>> >> verify once you determine it might be switch or router or
>> local
>> >> iptables causing the issues?
>> >> 5) Do you allow scripting from that directory in your
>> Apache
>> >> <directory> tags?
>> >>
>> >>
>> >> --
>> >> Steve DuChene
>> >>
>> >> www.obnosis.com (503)754-4452
>> >> "Contradictions do not exist." A. Rand
>>
>>
>> >> ---------------------------------------------------
>> >> PLUG-discuss mailing list -
>> PLUG-discuss at lists.plug.phoenix.az.us
>> >> To subscribe, unsubscribe, or to change your mail settings:
>> >>
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>> >
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>>
>>
>>
>> --
>> www.obnosis.com (503)754-4452
>> "Contradictions do not exist." A. Rand
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand
More information about the PLUG-discuss
mailing list