How can I read files outside the cgi-bin folder? - cgi

I've written a cgi script that processes data that is generated by another program. The problem is that this file is located outside the cgi-bin. How can I make sure that my perl scripts can read this file? I've already tried changing the permissions of this file and I also tried to make a link in the cgi-bin folder but Apache is too smart for that. I guess possible solutions are:
Edit the Apache config file in a way that Apache can read files outside the cgi-bin.
Run the cgi script with a 'portable' webserver. Like you can do with python (python -m http.server [port]). Unfortunately this does not execute the perl cgi scripts.
I'm kind of stuck how to do either one of the solutions.

Your CGI-script could access anything on your OS unless you run the apache under a sort of jail, in this case the your can read anything in the jail. (Of course, if the apache process has permissions to read the file).
e.g the next simple script will print out your password file
use strict;
use warnings;
use CGI;
my $q=CGI->new();
print $q->header();
print qx(cat /etc/passwd);
About the modern perl web-app development, read the following:
PSGI: What is it and what's the fuss about?
plack advent calendar: http://advent.plackperl.org/2009/12/day-1-getting-plack.html (buy the ebook if you can here: http://handbook.plackperl.org )
https://github.com/plack/Plack
Get some modern web-framerowk from CPAN - here are many (maybe too many) - the most known are:
Dancer (Dancer2)
Mojolicious
Poet/Mason
and of course, the big-gun: Catalyst
I personally mostly using
Poet/Mason
Mojolicious
EDIT
In your cgi-bin should exists a script called printenv.pl. Try:
chmod 755 printenv.pl
and point your browser to http://address/cgi-bin/printenv.pl You will get, the apache environment. See, you must know the basics of operating system commands and how the web works to succesfully run an web-application. It is impossible to write down everything in one answer, you need to use google, read answers to other questions here and such.
Also, in the above script, you can change the cat /etc/passwd to any other shell command for testing only what your cgi-script can or can not.

I've solved this problem by using plackup in combination of PSGI.
use CGI::Emulate::PSGI;
use CGI::Compile;
my $sub = CGI::Compile->compile("location/to/script.cgi");
my $app = CGI::Emulate::PSGI->handler($sub);
If you run plackup file.psgi, it sets up a local webserver that runs as the current user. Problem solved.

Related

Run exec()/system() etc command using PHP & OpenBSD

I am trying to run a simple command say ls -l on OpenBSD shell (uname -r: 6.4) using php 5.6.
<?php
$output = shell_exec('ls -l');
echo "<pre>$output</pre>";
?>
There is no output of above code. Just pre tag upon inspecting elements
So what is causing this issue? I tried using the same command using
System
Shell_exec
exec
No luck. What would be the cause of this ? Probably System/shell_exec not supported in OpenBSD's version of Php or something else.
Thanks in advance!
You haven't given enough information for a definitive answer, but my
guess is that you run php through php-fpm, which is by default chrooted
to /var/www. Since shell_exec and system first call /bin/sh and you
most likely didn't copy it to var/www/bin/sh it can't find your shell.
After that you'd also need to copy the binaries (in this case ls) to
your chroot and possible library dependencies (not needed for files
under /bin).
Hope this helps for illustrative purposes, but please don't use it in
production.

perl Dancer problems while running CGI with dispatch.cgi

I'm trying to get my project running on Dancer (perl 5.16.3 and centos 5.10), and so far it was pleasant experience - until I tried to deploy it on server.
I've decided to do the simplest thing and run it as CGI app with help
of default dispatch.cgi script from Dancer distribution.
I used default apache settings from Dancer::Deployment manual, but
something went wrong. After a day of struggle with half-working
project I deduced the following strange thing: while running through
dispatch.cgi, my project is able to read from sqlite database, but it
cannot write into database, so Dancer::Session::DBI was not working
properly and hence the problems.
If I run the project with stand-alone app.pl or with
plackup -E production -p 80 bin/app.pl
it works fine and able to insert data into DB. I've tried to change
permissions to 0666 on sqlite db file, but it didn't help.
So why there's a problem with sqlite while running as CGI, and how to fix this?
Well, it was permissions problem, but not for the dbase file - for directory contained that file!
Apparently, sqlite creates some temp files while updating bases.
Beware.

Serving lua pages in apache windows

I have been using php for CGI scripting for some time now and recently got interested in lua.
I installed the latest version of luarocks(2.1.2) and the bundled version of lua(5.1.4). I wanted to start from the basics and hence installed cgilua(5.1.4-2) and all its dependencies using "luarocks install cgilua".
I am able to run simple lua scripts using the shebang line to point to my lua interpreter but when i use it to point to the cgi launcher "cgilua.cgi.exe" to run .lp files it just won't work. I edited my httpd configuration file to allow cgi execution in my htdocs and cgi-bin directory and used the cgi-script handler for .lp pages. I am trying to run the login.lp example in the cgilua examples directory. I even added the line "Content-type:text/html" to no avail. Executing the cgilua.cgi.exe file from the command line without arguments just closes the application with the message "cgilua.cgi.exe" stopped working".
Could anyone tell me what am I missing? Maybe the launcher is supposed to be used in a different way?
I don't suppose permissions have a part to play in this as in windows all users have at least read and execute permissions.
The url I'm trying to access is http://localhost/login.lp. My apache error log shows "Premature end of script headers: login.lp" with a 500 internal server error and the same thing if I access http://localhost/cgilua.cgi.exe
I don't know what your requirements are, but perhaps it will be easier to simply use apache's mod_lua.
http://httpd.apache.org/docs/trunk/mod/mod_lua.html

NSTask, command line tools and root

I'm working on an app that needs to use dd (I do this with a shell script in the app bundle, that collects parameters from the app itself, makes some checks and then launches dd).
To make this operation I need to call dd with root, and I already looked at several solutions on StackOverflow. The simplest to implements seemed to me this one http://www.sveinbjorn.org/STPrivilegedTask
Problem is that my NSTask makes some complex read/write operations (not present in STPrivilegedTask) and does not need to be all privileged.
So I wrote a small helper tool in c that calls my script with correct parameters from my app. The solution I thought is to use the STPrivilegedTask to SUID once the fly my small helper tool, so I can launch it (and so my script and dd) with root, and soon after successful launch I set back the helper tool to non SUID (and I do the same if any error, on app exit, app start etc.. to be safer).
I implemented it and works quite well, maybe it's not perfect but I think that being all inside the bundle, and working with the helper tool in SUID just for the launch sounds safe enough.
Any thoughts?
Thanks!
You can use a sandbox for running the new Process in your NSTask
sandbox-exec -f <profile> <command>
sandbox-exec -f my_profile.sb "/bin/dd -if=/dev/disks01 of=/dev/target"
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html
You have some profile examples in here
/usr/share/sandbox/
You have to give enough access for dd to work, I haven't tried or checked what dd requires, I would start with something like this:
(version 1)
(deny default)
(debug deny)
(import "system.sb")
(allow file-read-data file-write-data file-ioctl (regex #"^/dev/.*$"))
(allow process-exec (literal "/usr/sbin/helper"))
Update:
Worth mention, you can use
sandbox-exec -p command

Debugging Solaris OS crash

I have access to a remote Solaris terminal which crashes occasionally, and I have to ask someone with physical access to boot the machine up, which it does successfully. I would like to know which tools/files should I look at to find out the cause of the crash so that I can make the necessary configuration changes and avoid it in the future.
What tools you can use will depend on what version of solaris you have running and what the actual problem
is. The first thing to do is check the system console (which it sounds like you don't have access to) and the /var/adm/messages file. This file is updated with system messages and the newest will appear at the end.
Next, you can look for a system core file. If a core file is created, it would be in /var/crash/hostname where "hostname" is the name of the machine.
If you have an actual core file in the /var/crash/hostname directory, this set of commands will give you a good
string to search google with:
# cd /var/crash/hostname
Replace "hostname" with the hostname of your machine.
# mdb -k unix.0 vmcore.0
If you have multiple core files, select the most recent version.
> ::status
This should give you a panic message, cut and paste that into google and see what you can find.
For more core file analysis read this:
http://cuddletech.com/blog/pivot/entry.php?id=965