[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CGI problem in OpenBSD 3.2
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: Re: CGI problem in OpenBSD 3.2
- From: "dreamwvr_(_at_)_dreamwvr_(_dot_)_com" <dreamwvr_(_at_)_dreamwvr_(_dot_)_com>
- Date: Sat, 15 Mar 2003 21:15:56 -0700
Here is a revision of the diff. It is a lot more specific.
Thanks Jolan for strongly_suggesting that. This is one way
to get CGI working in the chroot apache that works just fine
here. Let me know if it works equally as well for your 3.2.
Best Regards,
dreamwvr_(_at_)_dreamwvr_(_dot_)_com
--
/* Security is a work in progress - dreamwvr */
#
# Note: To begin Journey type man afterboot,man help,man hier[.]
#
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \? ;-]
--- faq10.html.orig Tue Mar 11 13:12:56 2003
+++ faq10.html Sat Mar 15 21:11:56 2003
@@ -37,8 +37,9 @@
<li><a href="#ftpchroot" >10.14 - Confining users to their home directories in ftpd(8)</a>
<li><a href="#Patches" >10.15 - Applying patches in OpenBSD</a>
<li><a href="#httpdchroot" >10.16 - Tell me about chroot() Apache?</a>
-<li><a href="#rootshell" >10.17 - I don't like the standard root shell!</a>
-<li><a href="#ksh" >10.18 - What else can I do with ksh?</a>
+<li><a href="#cgiperlchroot" >10.17 - How do I get CGI working using chrooted Apache?</a>
+<li><a href="#rootshell" >10.18 - I don't like the standard root shell!</a>
+<li><a href="#ksh" >10.19 - What else can I do with ksh?</a>
</ul>
<hr>
@@ -841,9 +842,8 @@
<blockquote><pre>
# <strong>cat krb.realms</strong>
-avalanche.ciarasystems.com >
-<HR><H3>Transfer interrupted!</H3>
- CIARASYSTEMS.COM
+avalanche.ciarasystems.com CIARASYSTEMS.COM
+.ciarasystems.com CIARASYSTEMS.COM
</pre></blockquote>
<p>
@@ -1620,7 +1620,6 @@
non-trivial and requires considerable programming knowledge -- most
users will find it easier to just disable the chroot(2) feature until
they are updated.
-
</ul>
In some cases, the application or configuration can be altered to run
@@ -1628,8 +1627,36 @@
feature using the <tt>-u</tt> option for httpd(8) in
<i><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rc.conf&sektion=8";>/etc/rc.conf</a></i>
+<a name="cgiperlchroot"></a>
+<h2>10.17 - How do I get CGIs working using chrooted Apache?</h2>
+<p>
+Here is one way to enable CGI in chrooted Apache environment.
+As indicated previously you need to examine each of your CGI programs on a case by case basis.
+Since what each CGI program does may very well be prohibited in the chroot environment. This
+also does not mean you are immune to badly written CGI programs. Any problems have just shifted
+further up the {tree,creek}. First consider ModPerl, then if CGI is still a
+requirement due to the breadth of platforms etc see below.
+
+<br>
+Specifically proceed as follows: <br>
+<br>
+create your two directories over as follows.<br>
+#mkdir -p /var/www/usr/lib<br>
+#mkdir -p /var/www/usr/libexec<br>
+(Note: your perl libraries may differ but here is an example for 3.2)
+#for p in /usr/lib/libperl.so.6.1 /usr/lib/libm.so.0.1 \
+#/usr/lib/libc.so.28.5 /usr/lib/libutil.so.7.1;<br>
+#do<br>
+#cp -p $i /var/www/usr/lib<br>
+#done;<br>
+#cd /usr/libexec && cp -p ld.so /var/www/usr/libexec/ld.so <br><br>
+
+That it your done!<br>
+<br>
+hint: Remember to test printenv located in /var/www/cgi-bin as normal user. Disable printenv
+when complete.<br>
<a name="rootshell"></a>
-<h2>10.17 - I don't like the standard root shell!</h2>
+<h2>10.18 - I don't like the standard root shell!</h2>
The default shell for <i>root</i> on OpenBSD is
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=csh&sektion=1";>csh</a>,
due primarily to tradition. There is no requirement that OpenBSD have
@@ -1676,7 +1703,7 @@
issue -- just don't log in as root.
<a name="ksh"></a>
-<h2>10.18 - What else can I do with <i>ksh</i>?</h2>
+<h2>10.19 - What else can I do with <i>ksh</i>?</h2>
In OpenBSD,
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ksh&sektion=1";>ksh</a>
is <a href="http://web.cs.mun.ca/~michael/pdksh/";>pdksh</a>, the Public
Visit your host, monkey.org