ExecCGI anywhere?

[l0rdphi1]

Is it possible to setup Apache so that I can run CGI scripts anywhere inside public_html? I tried modifing the

<Directory /home/*/public_html> [..] </Directory>

part of /etc/httpd/conf/httpd.conf to:

<Directory /home/*/public_html>
    AllowOverride All
    Options MultiViews Indexes SymLinksIfOwnerMatch Includes ExecCGI
    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS PROPFIND>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

But that didnt help any..

Any ideas?

 

[DirectAdmin Support]

Hello,

Try the following modificatins to what you have:

1) put a '+' in front of ExecCGI: +ExecCGI

2) make cgi's run anywhere (add this after Options):

AddHandler cgi-script .cgi .pl


Give that a go...

John

 

[nobaloney]

As long as we're on this subject, John, what would it entail for us to move the cgi-bin outside of the web directory?

There's lots of discussion (easily available via search engines) suggesting this is quite insecure. For example if you were running a file-based bbs (yabb comes to mind) all the user's private information including passwords would be available just by putting the name of the text file into the url.

Sun Cobalt RaQs also put the cgi-bin inside the web-path, but they at least use cgiwrap.

Of course some of us know that we can keep all important information in subdirectories of cgi-bin, and use an .htaccess file to protect it, but I'd bet all our customers aren't aware of either the security hole or the method of protecting against it.

Every security-conscious webhost I know (only a small percentage, but nevertheless an important percentage) puts the cgi-bin outside the web-path.

Jeff

 

[l0rdphi1]

1) put a '+' in front of ExecCGI: +ExecCGI

2) make cgi's run anywhere (add this after Options):

AddHandler cgi-script .cgi .pl

Wasn't working, but telling people to simply add

Options +ExecCGI
AddHandler cgi-script .cgi .pl .pm

to their .htaccess is easier anyway.

Thanks

 

[DirectAdmin Support]

Sure, it can be done... things that have to be considered:
1) where will the cgi-bin for subdomains go? right now they are inside the subdomains home directory, similar to the main domain.
2) if it's changed, all current users will have to move their cgi-bin directories.

So basically, its really easy to do for new installs, just have to figure out where to put the subdomain cgi-bin's, if not sharing the main cgi-bin. It's just the existing installs that have to be dealt with. Although moving it out of the webpath would be *more* secure, I have yet to be able to do anything else but use cgi-bin as cgi-bin... meaning, i havn't been able to view html files, or text files or anything else through the cgi-bin without the server trying to run them as cgi's. Comments on this would be appreciated.

Until a solution is found, there are template files that will do the job nicely.

John

 

[nobaloney]

Originally posted by l0rdphi1
Wasn't working

Did you remember to restart apache?

Jeff

 

[nobaloney]

1) where will the cgi-bin for subdomains go? right now they are inside the subdomains home directory, similar to the main domain.

I'm not sure, since I've never set up a subdomain and don't know where the subdomains go... They could go in subdirectories of the main cgi-bin, but that could cause security issues. How about creating (at the same level as httpd_public and cgi-bin) cgi-users, and then subdirectories of that for each user.

2) if it's changed, all current users will have to move their cgi-bin directories.

That bothers me a lot less than having to explain insecurities to people.

Although moving it out of the webpath would be *more* secure, I have yet to be able to do anything else but use cgi-bin as cgi-bin... meaning, i havn't been able to view html files, or text files or anything else through the cgi-bin without the server trying to run them as cgi's. Comments on this would be appreciated.

Have you done something in httpd.conf to prevent text files from being world readable? I'll try to find time later today to do some testing. If you don't get test results from me in a day, please remind me.

Until a solution is found, there are template files that will do the job nicely.

Please direct me towards one .

Jeff

 

[l0rdphi1]

Did you remember to restart apache?

Jeff

Yes, I restarted it.

I'm happy with the .htaccess method. Not everyone needs CGI in every directory, and I suppose it's a little extra security.

 

[DirectAdmin Support]

templates are in:
/usr/local/directadmin/data/templates/virtual_host*.conf

if you make modifications to them, put your custom version in the "custom" directory so that when DirectAdmin gets updated, you're won't be stomped. (it checks the custom dir before using the default ones)

John

 

[DirectAdmin Support]

I've discovered that apache doesn't seem to count /home/*/public_html in /home/username/domains/domain.com/public_html
but /home/* is.. so for the next release I'll change that part of everyone's httpd.conf using a perl replace script.

<Directory /home/*/public_html>
into
<Directory /home/*>

If you've already changed it, the script will have no effect.

John

 

[koudou]

I tried the two solutions and none works :

in httpd.conf
(in <Directory /*>)

Options +ExecCGI
AddHandler cgi-script .cgi

Same in .htaccess

And of course, I stopped apache, then reload it and finally started it

Any other suggestion ?

 

[l0rdphi1]

Just modify DA's custom httpd templates (/usr/local/directadmin/data/templates/virtual_host_*) and add ExecCGI to each, and then run echo 'action=rewrite&value=httpd' >> /usr/local/directadmin/data/task.queue. Worked for me.

 

[koudou]

well ...

Thank you for your suggestion

I tried to change everything that have options by addin +ExecCGI , restarted http and DA, but with no success ...

Any other clue ?

 

[DirectAdmin Support]

Hello,

I just tested the .htaccess version with

Options +ExecCGI
AddHandler cgi-script .cgi

and it works. Double check that your script is chmod 755 and is owned by the owner of that home directory. Failing that, check your /var/log/httpd/suexec_log for reasons why it didn't work.

John

 

[ClayRabbit]

BTW, with default DA configs Admin "CGI Access" option is almost useless! Any user able to turn on CGI's by adding
Options +ExecCGI
to .htaccess in ANY folder.

What we can do with that?

Is the only way to completely "turn off" CGI's is setting
"AllowOverride AuthConfig FileInfo Indexes Limit"
instead of
"AllowOverride All"
?

 

[ProWebUK]

Open a users httpd.conf and add

<Directory /home/[B]username[/B]/domains/[B]domain.com[/B]/public_html/>
AddHandler cgi-script .pl .cgi
Options Includes ExecCGI
</Directory>

directly under the <directory> sections already there (if you want it under https add it under the :443 virtualhost section aswell as the :80 one.

service httpd restart

Chris

 

[ClayRabbit]

What are you talking about?

My problem was not "how to enable cgi's anywhere for one of accounts".
I just said that uncheked "CGI Access" in DA doesn't means that user will be unable to run CGI's.

(I have spended all night in reading mans, editing configs, and finaly i done that! When I check "CGI Access" - user becomes able to run cgi's in any directory, and when I uncheck it - he becomes unable to run cgi's at all.)

 

[ProWebUK]

Sorry, was targeted at the main question of the thread

Chris

 

[Lem0nHead]

i changed the /usr/local/directadmin/data/templates/virtual_host_* and it's ok now...

only one question...
won't DA update this files when there're updates? or can you add that as default?

thanks