[HCoop-Help] unable to run doomtool

Clinton Ebadi clinton at unknownlamer.org
Thu Oct 2 13:53:00 EDT 2008 

Adam Chlipala <adamc at hcoop.net> writes:

> For the answers to all your questions, please run:
>     domtool-admin describe DOMAIN
> and tell me how you would like the generated Apache configuration to be 
> different.
>
> Zrajm C Akfohg wrote:
>> How do I make include virtual work on a cgi?
>>   
>
> I wouldn't be surprised if we can't support this, but I'm not sure.  We 
> have to make sure that included CGI scripts run as your user and with 
> your AFS tokens.  If it isn't easy to make this happen, then we can't 
> allow what you request, for security reasons.

The Apache documentation
(http://httpd.apache.org/docs/1.3/mod/mod_include.html#includevirtual)
makes it appear that virtual is safe:

"A URL is constructed from the attribute, and the output the server
would return if the URL were accessed by the client is included in the
parsed output. Thus included files can be nested."

It is promoted as a safer alternative to exec and it seems that it
simulates a normal Apache request as if it were coming from the client
while capturing the output of the request. According to
http://httpd.apache.org/docs/2.0/misc/security_tips.html:

"SSI files also pose the same risks that are associated with CGI
scripts in general. Using the "exec cmd" element, SSI-enabled files
can execute any CGI script or program under the permissions of the
user and group Apache runs as, as configured in httpd.conf."

"Another solution is to disable the ability to run scripts and
programs from SSI pages. To do this replace Includes with
IncludesNOEXEC in the Options directive. Note that users may still use
<--#include virtual="..." --> to execute CGI scripts if these scripts
are in directories designated by a ScriptAlias directive."

So it would appear that virtual is safe *and* that it is enabled (as
it works for static files).

The issue it would appear is that the cgi scripts are not +x. As I
don't have read permissions on zrajm's cgi-bin I was unable to confirm
this, but I would suspect that this was the issue. If this is not the
case have you tried doing #include virtual="/cgi-bin/..." instead?

I did try accessing http://test.zrajm.org/cgi-bin/search.cgi and x.cgi
and they return *something*, but x.cgi appears to perhaps have broken
output.

-- 
clinton: last time I was a bit weak (*sniff* level four and only 18 hp)
clinton: I had a -1 intelligence modifier for the first three weeks
emacsen: what about your character?

More information about the HCoop-Help mailing list