[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Secure CGI on a RaQ4

Subject: Re: [cobalt-users] Secure CGI on a RaQ4
From: Duncan Laurie <duncan@xxxxxxxxxx>
Date: Mon Oct 9 04:38:01 2000
Organization: Cobalt Networks, Inc.
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

In article <NEBBKBOOOLHLLBGNGGNBAECOCGAA.main@xxxxxxxxxxxxxxxxxxxx> you wrote:
| TEMPORARY?? FIX FOR SECURE CGI PROBLEM
| 
| I recently added shared SSL on a RaQ4 server.
| 
| Now, any site on the server can use SSL like so...
| https://www.main-secure-domain.com/secure/www.anydomain.com/nameoffile.html
| 
| I ran into a problem with attempting to process secure cgi scripts...
| https://www.server600.net/secure/www.avidinternet.com/formmail.pl
| 
| I kept getting an Internal Server Error.  I understand that I must use some
| type of ScriptAlias to make this work.  However, numerous visits to the
| Cobalt.com site, the archives, and Redhat Linux config manuals
| (http://www.redhat.com/support/manuals/RHL-7-Manual/ref-guide/ch-configurati
| on.html) have resulted in nothing but late nights and some new circles under
| my eyes.

Hi Bill,

The problem with running CGIs through an AliasMatch is that cgiwrap relies
heavily on the PATH_INFO and PATH_TRANSLATED variables to determine
what script to run and to perform security checks..  Much of this is because
cgiwrap is a 3rd party app, not an apache module--it must take the
environment that apache gives for granted.  So an AliasMatch like:

    AliasMatch ^/secure/([^/]+)(/(.*))? /home/sites/$1/web/$3

passes cgiwrap PATH_INFO and PATH_TRANSLATED variables that do not match up:

    PATH_TRANSLATED=/home/sites/www.domain.com/web/script.cgi
    PATH_INFO=/secure/www.domain.com/script.cgi

Fixing this part is a pretty trivial change to the AliasMatch:

    AliasMatch ^/secure/([^/]+)(/(.*))? /home/sites/$1/web/secure/$1/$3

but it means secure CGIs must be in the directory specified by PATH_INFO,
in relation to the web root of the site.  After this CGIs will work, but
only if you refer to the site by its groupname, not the fqdn.  This is
because it does security checks against the groupname given by the 
PATH_TRANSLATED variable (the $1 regex from the AliasMatch) and fails
because the group "www.domain.com" does not exist.

To fix this I modified cgiwrap to obtain the group info from the file
referred to by PATH_TRANSLATED; which it then compares to the owner of the
file to verify the user is a member of that group (a site administrator).
This may not be the ideal solution, but it is minor and doesn't require
making massive changes to cgiwrap.  Now with the above AliasMatch and
this cgiwrap change you can access CGIs like so:

    https://www.secure-server.com/secure/www.domain.com/formmail.pl

If the script is in:

    /home/sites/www.domain.com/web/secure/www.domain.com/formmail.pl

You can find the new cgiwrap RPM (and SRPM) at:

ftp://ftp.cobaltnet.com/pub/users/duncan/cgiwrap/cgiwrap-3.6.4-C11.i386.rpm


-duncan

Follow-Ups:
- RE: [cobalt-users] Secure CGI on a RaQ4
  - From: WebSite Creations

Prev by Date: Re: [cobalt-users] RaQ 3 - Can not add sites after Restore - Help!
Next by Date: [cobalt-users] [RaQ3] Any other experiences with All System 3.0.1-6482?
Previous by thread: RE: [cobalt-users] Secure CGI on a RaQ4
Next by thread: RE: [cobalt-users] Secure CGI on a RaQ4

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index