Very Computer

My question is 2 fold:

     1)  What changes need to be made to .conf files to add a user
<joeblo> so that Apache looks at /home/joeblo/cgi-bin?

and

     2)  What permissions (chmod/chown) need to be set to /home/joeblo
and /home/joeblo/cgi-bin, as well as what are the permissions needed for
the actual scripts?

It seems like such a common question that arises, yet I've searched and
searched for some simple, straight-forward answers.  Yet no luck.  As I
said, I'm a newbie... so speak slowly  =)

Could somebody please provide a step-by-step answer?  I would be _most_
appreciative.

Thanks very much.

Jim

2) Apache usually runs as user 'nobody' and so the scripts run under
that id.  The scripts will not assume the user's identity when they run.

Quote:> I've got Apache 1.3 running on Redhat 7.1.  The installation went just
> fine, and I can execute scripts from /usr/local/apache/cgi-bin.

> My question is 2 fold:

>      1)  What changes need to be made to .conf files to add a user
> <joeblo> so that Apache looks at /home/joeblo/cgi-bin?

> and

>      2)  What permissions (chmod/chown) need to be set to /home/joeblo
> and /home/joeblo/cgi-bin, as well as what are the permissions needed for
> the actual scripts?

> It seems like such a common question that arises, yet I've searched and
> searched for some simple, straight-forward answers.  Yet no luck.  As I
> said, I'm a newbie... so speak slowly  =)

> Could somebody please provide a step-by-step answer?  I would be _most_
> appreciative.

> Thanks very much.

> Jim

Quote:> 1) You really don't want to do that. CGI is a security nightmare when it is
> completely controlled by the best system administrator. Your users
> will be able to do anything that apache can do as user 'nobody'. This
> will open so many security holes you may as well simply do away
> with passwords and advertise it to the network.

So..  again, how do you know I can enable /home/me/cgi-bin?  What needs to be
changed in my .conf files?  And what sort of nifty chown/chmod stuff do I have
to do to the /home/me/cgi-bin directory?

Quote:> 2) Apache usually runs as user 'nobody' and so the scripts run under
> that id.  The scripts will not assume the user's identity when they run.

Thanks for the reply.

ScriptAliasMatch ^/[~](.*)/cgi-bin/(.*) /home/$1/public_html/cgi-bin/$2

Although I personally prefer to be able to run CGI anywhere in my webspace
so I can group relavant html, cgi and data in a dir or connected
subdirectories.

Quote:> and

>      2)  What permissions (chmod/chown) need to be set to /home/joeblo
> and /home/joeblo/cgi-bin, as well as what are the permissions needed for
> the actual scripts?

/home and joeblo need at least 701 permission (dir needs x bit for
access).  Their public_html would need at least 701 for access or 705
minimum to do any Indexing (file listing).

If all CGI runs as 'nobody' or similar, cgi-bin could be as little as 701.  
CGI scripts would need at least 705.  CGI data files (to write) would need
to already exist with 606, or to create new files, the dir would need 707.  
That is rather insecure since anybody elses CGI could access your data
and it may be hard to tell who (as nobody) started any problems.

If you run apache suexec (or cgi-wrap) to run CGI as you, the CGI script
itself can have as little as 700 permission and could access data files
with 600 permission.  But the dir would need at least 701 if it contains
.htaccess, .htpasswd, or any URL accessible non-CGI files (html, images,
etc.), and those files would need at least 604.  It is also easier to
track anything gone astray because it will have a username associated with
it.  Note that under suexec, CGI will refuse to run if script or dir
permission is greater than 755, since more permission would be insecure
and is not necessary when CGI is running as you.

Quote:> It seems like such a common question that arises, yet I've searched and
> searched for some simple, straight-forward answers.  Yet no luck.  As I
> said, I'm a newbie... so speak slowly  =)

--
David Efflandt  (Reply-To is valid)  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

I am the user.  jrr is my login.  I want to enable a cgi-bin directory in
/home/jrr/cgi-bin.

What I have done thus far is this:

1) I edited my httpd.conf to look like this:

    ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
    ScriptAlias /cgi-bin/ "/home/jrr/cgi-bin/"

2) I created the directory /home/jrr/cgi-bin

3) I said $chmod 755 /home/jrr/cgi-bin

4) I copied "test-cgi" from /usr/local/apache/cgi-bin to /home/jrr/cgi-bin.

5) I said $chmod 755 /home/jrr/cgi-bin/*

When I reference the URL http://localhost.localdomain/~jrr/cgi-bin/test-cgi I
get this error in the browser:

     Not Found
     The requested URL /~jrr/cgi-bin/test-cgi was not found on this server.
     Apache/1.3.20 Server at 127.0.0.1 Port 80

However, when I reference apache's cgi-bin with
http://localhost.localdomain/cgi-bin/test-cgi, all is well with the world.

So... for some reason it's not working.  One thing that did catch my eye was
in the error message that the browser gave.  Why does it say "The requested
URL /~jrr/cgi-bin/test-cgi was not found on this server."??  It says it can't
find "/~jrr/cgi-bin/test-cgi".  Why doesn't it say the whole path, being
"/home/jrr/cgi-bin/test-cgi", or
"http://localhost.localdomain/~jrr/cgi-bin/test-cgi"?  Or something like
that....

Am I typing in the correct URL in the browser?  Is the way I set my
permissions ok?  Did I edit httpd.conf correctly?  What am I missing?

Seems to me there is something very simple, yet very essential, that I am
missing.

Please... once again...  any help is very much appreciated.

Thank you,

Jimmy

The other major mistake I see you making is that you don't seem
to be looking in the error log.  This is where you will find
useful info on what is going wrong.

Now, on to the solution.

If you simply want to be able to type
http://localhost/~jrr/cgi-bin/test-cgi and have it look for
the cgi-script at /home/jrr/cgi-bin/test-cgi, then the directive
to use is
ScriptAlias /~jrr/cgi-bin/ /home/jrr/cgi-bin/
(If you want to direct requests for the main "/cgi-bin/" directory
to /home/jrr/cgi-bin, then you can remove all the other
ScriptAlias lines and add
ScriptAlias /cgi-bin/ /home/jrr/cgi-bin/
Then you would access the script at http://local/host/cgi-bin/test-cgi)

The only other thing to check is that the directories /home and
/home/jrr/ must be at least searchable by the web server user
in terms of unix permissions.

--
Joshua Slive

http://slive.ca/

Quote:

> the docs.  Briefly, ScriptAlias /x /y means "take all requests for
> paths starting in /x and direct them to the file-system location /y".
> Now, looking at your example, what is the server supposed to do
> when it gets a request for /cgi-bin/file?  How should it know
> whether to serve that from the first location or the second?

Quote:> The other major mistake I see you making is that you don't seem
> to be looking in the error log.  This is where you will find
> useful info on what is going wrong.

Quote:> Now, on to the solution.

Quote:> 2) I created the directory /home/jrr/cgi-bin

> 3) I said $chmod 755 /home/jrr/cgi-bin

> 4) I copied "test-cgi" from /usr/local/apache/cgi-bin to /home/jrr/cgi-bin.

> 5) I said $chmod 755 /home/jrr/cgi-bin/*

> When I reference the URL http://localhost.localdomain/~jrr/cgi-bin/test-cgi I
> get this error in the browser:

>      Not Found
>      The requested URL /~jrr/cgi-bin/test-cgi was not found on this server.
>      Apache/1.3.20 Server at 127.0.0.1 Port 80

You have no ScriptAlias for /~jrr/cgi-bin/.

--

http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

David> ScriptAliasMatch ^/[~](.*)/cgi-bin/(.*) /home/$1/public_html/cgi-bin/$2

The other way that seems a lot cleaner to me is:

    <Directory /home/*/public_html>
    order allow,deny
    allow from all
    options Indexes Includes SymLinksIfOwnerMatch
    allowoverride All
    directoryindex index.html
    </Directory>

    <Directory /home/*/public_html/cgi>
    options +ExecCGI
    sethandler application/x-httpd-cgi
    </Directory>

I now avoid ScriptAliasMatch now that I know it really doesn't have
special powers. :)

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095

Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Quote:> The other way that seems a lot cleaner to me is:
>     <Directory /home/*/public_html>
>     order allow,deny
>     allow from all
>     options Indexes Includes SymLinksIfOwnerMatch
>     allowoverride All
>     directoryindex index.html
>     </Directory>
>     <Directory /home/*/public_html/cgi>
>     options +ExecCGI
>     sethandler application/x-httpd-cgi
>     </Directory>

1. I'd use "Options ExecCGI".  This way (without the plus),
the other options get turned off.  Its probably best not to
have things like Includes and SymLinks active in CGI
directories.

2. I think the other line should be
SetHandler cgi-script

--
Joshua Slive

http://slive.ca/

Joshua> 1. I'd use "Options ExecCGI".  This way (without the plus),
Joshua> the other options get turned off.  Its probably best not to
Joshua> have things like Includes and SymLinks active in CGI
Joshua> directories.

Doh!  I've been trying to figure out how to turn those off within
an .htaccess file within the directory.  Doh!

Joshua> 2. I think the other line should be
Joshua> SetHandler cgi-script

Well, they both eventually end up in the same mod_cgi handler, and I
think the MIME type pre-dated the handler type.  But it works. :)

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095

Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!