[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Secure CGI on a RaQ4

Subject: RE: [cobalt-users] Secure CGI on a RaQ4
From: "WebSite Creations" <main@xxxxxxxxxxxxxxxxxxxx>
Date: Mon Oct 9 17:25:21 2000
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>>>The problem with running CGIs through an AliasMatch is that
>>>cgiwrap relies heavily on the PATH_INFO and PATH_TRANSLATED variables

Hi Duncan,

Thank you for your detailed explanation.  This info may be just what I am
looking for.

I can't wait to give these changes a try over the next day or two.

Thanks again for contributing.

Bill

------------------------------------------------------------
IMPORTANT ANNOUNCEMENT TO OUR CUSTOMERS
------------------------------------------------------------

For quicker service for your support or informational
questions, you should use our Help Desk located  at
http://support.websitecreations.net/ .  We will be completely
phasing out 'email' support requests in October. At that
time, all support requests will be required to come through
our Online Help Desk.  As of 9/15/2000, about 10% of our
customers have already begun to use our Online Help Desk.
Of those, most have had very favorable comments about it.

Online Help Desk:  http://support.websitecreations.net/
------------------------------------------------------------

>>>-----Original Message-----
>>>From: cobalt-users-admin@xxxxxxxxxxxxxxx
>>>[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Duncan Laurie
>>>Sent: Monday, October 09, 2000 7:37 AM
>>>To: cobalt-users@xxxxxxxxxxxxxxx
>>>Subject: Re: [cobalt-users] Secure CGI on a RaQ4
>>>
>>>
>>>In article
>>><NEBBKBOOOLHLLBGNGGNBAECOCGAA.main@xxxxxxxxxxxxxxxxxxxx> you wrote:
>>>| TEMPORARY?? FIX FOR SECURE CGI PROBLEM
>>>|
>>>| I recently added shared SSL on a RaQ4 server.
>>>|
>>>| Now, any site on the server can use SSL like so...
>>>|
>>>https://www.main-secure-domain.com/secure/www.anydomain.com/nameo
>>>ffile.html
>>>|
>>>| I ran into a problem with attempting to process secure cgi scripts...
>>>| https://www.server600.net/secure/www.avidinternet.com/formmail.pl
>>>|
>>>| I kept getting an Internal Server Error.  I understand that I
>>>must use some
>>>| type of ScriptAlias to make this work.  However, numerous visits to the
>>>| Cobalt.com site, the archives, and Redhat Linux config manuals
>>>|
>>>(http://www.redhat.com/support/manuals/RHL-7-Manual/ref-guide/ch-
>>>configurati
>>>| on.html) have resulted in nothing but late nights and some new
>>>circles under
>>>| my eyes.
>>>
>>>Hi Bill,
>>>
>>>The problem with running CGIs through an AliasMatch is that
>>>cgiwrap relies
>>>heavily on the PATH_INFO and PATH_TRANSLATED variables to determine
>>>what script to run and to perform security checks..  Much of
>>>this is because
>>>cgiwrap is a 3rd party app, not an apache module--it must take the
>>>environment that apache gives for granted.  So an AliasMatch like:
>>>
>>>    AliasMatch ^/secure/([^/]+)(/(.*))? /home/sites/$1/web/$3
>>>
>>>passes cgiwrap PATH_INFO and PATH_TRANSLATED variables that do
>>>not match up:
>>>
>>>    PATH_TRANSLATED=/home/sites/www.domain.com/web/script.cgi
>>>    PATH_INFO=/secure/www.domain.com/script.cgi
>>>
>>>Fixing this part is a pretty trivial change to the AliasMatch:
>>>
>>>    AliasMatch ^/secure/([^/]+)(/(.*))? /home/sites/$1/web/secure/$1/$3
>>>
>>>but it means secure CGIs must be in the directory specified by PATH_INFO,
>>>in relation to the web root of the site.  After this CGIs will work, but
>>>only if you refer to the site by its groupname, not the fqdn.  This is
>>>because it does security checks against the groupname given by the
>>>PATH_TRANSLATED variable (the $1 regex from the AliasMatch) and fails
>>>because the group "www.domain.com" does not exist.
>>>
>>>To fix this I modified cgiwrap to obtain the group info from the file
>>>referred to by PATH_TRANSLATED; which it then compares to the
>>>owner of the
>>>file to verify the user is a member of that group (a site administrator).
>>>This may not be the ideal solution, but it is minor and doesn't require
>>>making massive changes to cgiwrap.  Now with the above AliasMatch and
>>>this cgiwrap change you can access CGIs like so:
>>>
>>>    https://www.secure-server.com/secure/www.domain.com/formmail.pl
>>>
>>>If the script is in:
>>>
>>>    /home/sites/www.domain.com/web/secure/www.domain.com/formmail.pl
>>>
>>>You can find the new cgiwrap RPM (and SRPM) at:
>>>
>>>ftp://ftp.cobaltnet.com/pub/users/duncan/cgiwrap/cgiwrap-3.6.4-C1
1.i386.rpm


-duncan

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- Re: [cobalt-users] Secure CGI on a RaQ4
  - From: Duncan Laurie

Prev by Date: Re: [cobalt-users] installed software
Next by Date: Re: [cobalt-users] Sun Solaris??? Bad Business Decision
Previous by thread: Re: [cobalt-users] Secure CGI on a RaQ4
Next by thread: [cobalt-users] RAQ3] Unable to create Users with FrontPage enabled

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index