MC on Apache and CGI
Sannyasin Sivakatirswami
katir at hindu.org
Sun Dec 8 15:33:01 EST 2002
I use MC on all our domains in Honolulu, works fine:
this is how we have it, possibly you know all this already, but I am
very interested in having this area (MC security running behind Apache
on a Unix-MacOSX box) thoroughly elucidated as we also know virtually
nothing about Unix security issues. so here goes with what I know to
date:
put the engine itself in cgi-bin
## just like any PERL script
## that's protected from bad guys as far as i know
CHMOD 755 the engine itself
Put your scripts in the CGI directory along side the engine
CHMOD them also 755.
Path to engine in 1st line of the script is standard.. .Just look at
any access logs for your site to see what the full machine path is to
your directory on that machine to any file
e.g.
#! /export/users/g/gregory/public_html/cgi-bin/mc
## is a typical path on a virtual domain...
## where /public_html/cgi-bin/mc is the flavor for the running OS
on StartUp
read from stnIn
##make sure any path ref in your script "climbs out" of the CGI bin
## ../someDirectory/some.file
etc.
to block other domains you need to create an "authorized domain'
routine similar to the one in formMail.pl where
a) you parse the header from the submisson from the submitting domain,
b) check that against a list of authorized domains usually this is the
one on which the script itself resides, or several on the same server
under your control to prevent hackers from making POSTs from other
domains/servers.
==========
I asked these same questions two years ago, was told that the "wrapper"
thing pertained to using MC as a server handling the http requests...
not to the context where MC is used as a CGI interpreter where Apache
is the actual server. That said, then no more damage to the server can
be done by an MC script than one could do with an a bad Perl script.
We "quietly" installed MC remotely in the cgi-bin with a nod from their
server admin who we have hosted with since before the web began in
93.... on trust that we would not do anything stupid just like they
assume anyone using PERL is not going to install scripts that would do
something radical to their server.
e.g. I see lots of attempts from outside domains to hit on our
formMail.pl (perl) script, You see this in the error logs where POSTs
are coming down from outside domains to "formmail.cgi" "FormMail.pl"
formMail.cgi, formMail.pl" where some guy is obviously testing to see
if he can use my CGI,,, if he could only get the name right... and
occasionally they do, but their submission is rejected. by the script
itself... not by any "wrapper' as such.
In this case this is a well-known Perl script in the public domain
(formMail.pl) which previously had a big hole in it (go to Matt's
Archives and see his comments at the top of the latest version of
formMail.pl)
I am not an expert, but it would seem to me that any script in any
language could be secure or dangerous if it did not do the obviously
security thing of examining the globals or some initial bit of data
from stdIn and if it is not what's expected, nothing happens.
but, perhaps there are other holes or other kinds of CGI scenarios (we
are just talking about POST here.) that could be dangerous?
>
Sannyasin Sivakatirswami
Himalayan Academy Publications
at Kauai's Hindu Monastery
katir at hindu.org
www.HimalayanAcademy.com,
www.HinduismToday.com
www.Gurudeva.org
www.Hindu.org
On Sunday, December 8, 2002, at 09:39 AM, jbv wrote:
> Although your comments raise a few important questions that
> I'll have to discuss with the UNIX guy :
> - what is the best directory to drop the mc engine so that
> no bad guy finds it ?
> - and what can happen if any bad guy finds it ?
> - is there anything specific that can be done (by a bad guy) with MC
> as a simple cgi engine that can't be done with a php or perl engine ?
> - does it have to do with the presence of a "wrapper" (I've seen
> that word at times in articles / discussions about cgi engines) ?
> - are there any safety measures to take to prevent that ?
>
> And as for permissions : I know that the right permissions have
> to be set to mc-cgi scripts and text files used by those scripts, but
> have the feeling that there must be some specific other permissions to
> set in the Apache configuration to allow mc-cgi scripts to be triggered
> by external requests... If yes, can those permissions be set for one
> domain name only ?
>
> More on this issues, please...
More information about the metacard
mailing list