In a plain http server, if we use apache with php or perl, what happens is that the executable files such as html, php, pl, etc will be run as the user apache.
In this case using the php script we will be able to read any files in the server to which apache has access. If there are many users in the server, and if they have their own home pages in which they have their web pages, every of these sites will be run as user apache. So a user will be able to write a script in his home folder to read files in other’s folders.
The solution is CGIWrap. After enabling this in the web server, when a page will be executed, it will run as the users who owns that specific script, not apache. Thus the page will be able to access only those files in the server to which that user will have access.
== == ==
Procedure to configure CGIWrap in a new host:
- Install httpd
- [root@jaguar user2]#yum install httpd -y
- Install php
- [root@jaguar user2]#yum install php -y
- Install perl
- [root@jaguar user2]#yum install perl -y
- [root@jaguar user2]#service httpd start
- Stop iptables
- [root@jaguar user2]#service stop iptables
- Stop SELINUX
- [root@jaguar user2]#setenforce 0
Edit httpd.conf
[root@jaguar user2]# vi /etc/httpd/conf/httpd.conf
- Comment the line “UserDir disable”
- Uncomment the line “UserDir public_html”
Create the following perl files in user2’s folder to list files in the user’ss own folder, and another user’s folder
.
[root@jaguar user2]# vi /home/user2/public_html/cgi-bin/list_own_dir.pl
=== ====================================
#!/usr/bin/perl
print “Content-type: text/html\n\n”;
use strict;
use warnings;
my $dir = ‘/home/user2/public_html’;
opendir(DIR, $dir) or die $!;
while (my $file = readdir(DIR)) {
# Use a regular expression to ignore files beginning with a period
next if ($file =~ m/^\./);
print “$file\n”;
print “<br>”;
}
closedir(DIR);
exit 0;
=== ====================================
.
[root@jaguar user2]# vi /home/user2/public_html/cgi-bin/list_others_dir.pl
==== =========================
#!/usr/bin/perl
print “Content-type: text/html\n\n”;
use strict;
use warnings;
my $dir = ‘/home/user1/public_html’;
opendir(DIR, $dir) or die $!;
while (my $file = readdir(DIR)) {
# Use a regular expression to ignore files beginning with a period
next if ($file =~ m/^\./);
print “$file\n”;
print “<br>”;
}
closedir(DIR);
exit 0;
==== =========================
.
Ensure the ownership of the files are set correctly:
[root@jaguar user2]#chown -R user1.user1 /home/user1
[root@jaguar user2]#chown -R user2.user2 /home/user2
[root@jaguar user2]#chmod -R 755 /home/user1/public_html
[root@jaguar user2]#chmod -R 755 /home/user2/public_html
.
If you try accessing the perl files via web, both the scripts will not get display properly. Most probably just the text will get displayed.
http://jaguar/~user2/cgi-bin/list_own_dir.pl
http://jaguar~user2/cgi-bin/list_others_dir.pl
.
******************
DOWNLOAD AND INSTALL CGIWRAP
- Download CGIWrap from **http://cgiwrap.sourceforge.net/download.html** to /root
- [root@jaguar user2]# cd /root
- [root@jaguar user2]# tar -xvf cgiwrap-xxxx.tar.gz
- [root@jaguar user2]# cd cgiwrap-xxx
- [root@jaguar user2]# ./configure –with-check-shell –with-perl=/usr/bin/perl –with-php=/usr/bin/php –with-php-interpreter –with-install-dir=/var/www/cgi-bin/ –with-httpd-user=apache –with-check-owner
- [root@jaguar user2]# make
- [root@jaguar user2]# make install
- [root@jaguar user2]# vi /etc/httpd/conf/httpd.conf
- Add the following lines at the end of the file:
- ————–
AddHandler cgi-wrapper .php
AddHandler cgi-wrapper .cgi
AddHandler cgi-wrapper .pl
Action cgi-wrapper /cgi-bin/cgiwrap
RewriteEngine On
RewriteRule ^/~(.*)/cgi-bin/(.*) /cgi-bin/cgiwrap/$1/$2 [PT]
- ————–
- [root@jaguar user2]# service httpd restart
.
If you try accessing the perl files via web, both the scripts will get display properly.
http://jaguar/~user2/cgi-bin/list_own_dir.pl
http://jaguar~user2/cgi-bin/list_others_dir.pl
.
Now let us add stricter security feature:
******************
[root@jaguar user2]#chmod -R 750 /home/user1/public_html
[root@jaguar user2]#chmod -R 750 /home/user2/public_html
.
Though the file permission is set to 750 the following link will work.
- http://jaguar/~user2/cgi-bin/list_own_dir.pl
However the script to access other’s folder will not work
- http://jaguar~user2/cgi-bin/list_others_dir.pl
Be the first to comment on "How to configure CGIWrap in a Linux server"