Home » Categories » Multiple Categories |
How To Use SuExec in Apache to run CGI Scripts on an Ubuntu |
Article Number: 233 | Rating: Unrated | Last Updated: Sun, Jan 5, 2014 at 8:52 PM
|
IntroductionThe Apache web server is the most popular web server in the world. It can be used to deliver static and dynamic web content to visitors in a multitude of different contexts.One of the most common ways of generating dynamic content is through the use of Running any kind of executable code within a web-space comes with a certain amount of risk. In this guide, we will demonstrate how to implement CGI scripting with the PrerequisitesIn this guide, we will be configuring an Ubuntu 12.04 server with a standard LAMP (Linux, Apache, MySQL, PHP) installation. We assume that you have already installed these basic components and have them working in a basic configuration.We will be referencing the software as it is in its initial state following that tutorial. How To Enable CGI ScriptsIn Ubuntu's Apache configuration, CGI scripts are actually already configured within a specific CGI directory. This directory is empty by default.CGI scripts can be any program that has the ability to output HTML or other objects or formats that a web browser can render. If we go to the Apache configuration directory, and look at the modules that Apache has enabled in the
This file contains the directive that enables the CGI module. This allows us to use this functionality in our configurations. Although the module is loaded, it does not actually serve any script content on its own. It must be enabled within a specific web environment explicitly. We will look at the default Apache virtual host file to see how it does this:
While we are in here, let's set the server name to reference our domain name or IP address: <VirutalHost *:80> ServerName your_domain_or_IP_address ServerAdmin your_email_address. . . We can see a bit down in the file the part that is applicable to CGI scripts:
Let's break down what this portion of the configuration is doing. The This means that a script called "script.pl" located in the your_domain.com/cgi-bin/script.pl Its output would be returned to the web browser to render a page. The
This option is actually unnecessary since we are setting up options for a directory that has already been declared a CGI directory by If you wished to put CGI files in a directory outside of the ScriptAlias, you will have to add these two options to the directory section: Options +ExecCGI AddHandler cgi-script .pl .rb [extensions to be treated as CGI scripts] When you are done examining the file, save and close it. If you made any changes, restart the web server:
Make a Test CGI ScriptWe will create a basic, trivial CGI script to show the steps necessary to get a script to execute correctly.As we saw in the last section, the directory designated in our configuration for CGI scripts is
We gave the file a ".pl" extension because this will be a Perl script, but Apache will attempt to run any file within this directory and will pass it to the appropriate program based on its first line. We will specify that the script should be interpreted by Perl by starting the script with:
Following this, the first thing that the script must output is the content-type that will be generated. This is necessary so that the web browser knows how to display the output it is given. We will print out the HTML content type, which is "text/html", using Perl's regular print function.
After this, we can do whatever functions or calculations are necessary to produce the text that we want on our website. In our example, we will not produce anything that wouldn't be easier as just plain HTML, but you can see that this allows for dynamic content if your script was more complex. The previous two components and our actual HTML content combine to make the following script:
Save and close the file. Now, we have a file, but it isn't marked as executable. Let's change that:
Now, if we navigate to our domain name, followed by the CGI directory (/cgi-bin/), followed by our script name (test.pl), we should see the output of our script. Point your browser to: your_domain.com/cgi-bin/test.pl You should see something that looks like this: Not very exciting, but rendered correctly. If we choose to view the source of the page, we will see only the arguments given to the print functions, minus the content-type header: How To Enable SuExecThere are some security concerns implicit in setting a script as executable by anybody. Ideally, a script should only be able to be executed by a single, locked down user. We can set up this situation by using thesuexec module.
We will actually install a modified suexec module that allows us to configure the directories in which it operates. Normally, this would not be configurable without recompiling from source. Install the alternate module with this command:
Now, we can enable the module by typing:
Next, we will create a new user that will own our script files. If we have multiple sites being served, each can have their own user and group:
Feel free to enter through all of the prompts (including the password prompt). This user does not need to be fleshed out. Next, let's create a scripts directory within this new user's home directory:
Suexec requires very strict control over who can write to the directory. Let's transfer ownership to the script_user user and change the permissions so that no one else can write to the directory:
Next, let's create a script file and copy and paste our script from above into it:
Make it executable next. We will only let our script_user have any permissions on the file. This is what the suexec module allows us to do:
Next, we will edit our Apache virtual host configuration to allow scripts to be executed by our new user. Open the default virtual host file:
First, let's make our CGI directory. Instead of using the Add this section:
This allows us to access our CGI scripts by going to the "/scripts" sub-directory. To enable the suexec capabilities, add this line outside of the "Directory" section, but within the "VirtualHost" section:
Save and close the file. We also need to specify the places that suexec will consider a valid directory. This is what our customizable version of suexec allows us to do. Open the suexec configuration file:
At the top of this file, we just need to add the path to our scripts directory.
Save and close the file. Now, all that's left to do is restart the web server:
If we open our browser and navigate here, we can see the results of our script: your_domain.com/scripts/attempt.pl Please note that with suexec configured, your normal CGI directory will not work properly, because it does not pass the rigorous tests that suexec requires. This is intended behavior to control what permissions scripts have. ConclusionYou can now create scripts and execute them in a relatively secure way. CGI scripts are very helpful for quickly including dynamic content on your site. Suexec allows you to lock down this ability for greater security. |
Attachments
There are no attachments for this article.
|
How To Install and Use PostgreSQL on Ubuntu 12.04
Viewed 6051 times since Mon, Dec 30, 2013
How To Copy Files With Rsync Over SSH
Viewed 6296 times since Fri, Dec 27, 2013
How To Use Traceroute and MTR to Diagnose Network Issues
Viewed 6497 times since Fri, Dec 27, 2013
How To Use Yaourt to Easily Download Arch Linux Community Packages
Viewed 3856 times since Fri, Dec 27, 2013
How To Install (LEMP) nginx, MySQL, PHP stack on Arch Linux
Viewed 13424 times since Sun, Dec 29, 2013
How To Set Up Apache Virtual Hosts on Ubuntu 12.04 LTS
Viewed 3264 times since Mon, Dec 23, 2013
How To Set Up Master Slave Replication in MySQL
Viewed 3060 times since Thu, Dec 26, 2013
How To Create Data Queries in PostgreSQL By Using the Select Command
Viewed 14114 times since Mon, Dec 30, 2013
How To Import and Export Databases and Reset a Root Password in MySQL
Viewed 2635 times since Thu, Dec 26, 2013
How To Install Linux, Nginx, MySQL, PHP (LEMP) Stack on Debian 7
Viewed 3693 times since Fri, Dec 27, 2013
|