Start a new topic
Answered

httpd cgi not working

Hi,

I'm porting a project from TS-7553 to TS-7553-V2.

Among this-and-that features, I was running CGI bash scripts with the mini-httpd web-server, with no limitations.


On the V2 (Debian 8) I'm having strange behavior: in my script I try to source a file, but get Permission denied.


If I move everything to /var/www - things work.


I read a bit about www-data, but didn't fully understand how to interact with teh file-system (outside the /var/www dir).


I don't want or need that protection on my product.

Any ideas?


Best Answer

Rami,


I am not terribly familiar with cgi-bin overall.  However, here are some things to look at:

- I believe cgi-bin is prevented from accessing any filesystem location at a higher directory than it is started in; this acts like a jail for the process.  For example, if you are starting a webserver from /var/www/, then all filesystem accesses are limited to this subdirectory and cannot access files/folders outside of this directory.  I believe it is possible to disable this.  However from both a security and organizational standpoint it is not usually wise to do this.

- Check permissions of files you are trying to access.  Most webservers set up or use an already existing user and group by default after installation.  This is usually www:www, but there are exceptions.  After being run, the final binary is then changed to run with these reduced permissions as usually a webserver has to be started by the root user and it is not wise to leave it like this.  This then means that any file the webserver attempts to access is limited by its user:group.  If you set up and move files around as root, and their permissions do not permit world readability, then you may end up with files that the webserver user:group are unable to access and this may be the root of your error.

- Check the output logs; if logging is not enabled, temporarily enable it, or set it up permanently using a limited ramdisk/tmpfs.  The log output will help you greatly when decoding errors as these logs tend to be more verbose.  If you get a hold of some log output I can help you further track down the issue.


You may also wish to find further resources on setting up, running, and maintaining web servers.  Doing so is it's own field of study and is generally outside the scope of our technical support as we are certainly not experts on the area of web servers.


Magically, things are working - I probably missed some small detail...

Thanks

Answer

Rami,


I am not terribly familiar with cgi-bin overall.  However, here are some things to look at:

- I believe cgi-bin is prevented from accessing any filesystem location at a higher directory than it is started in; this acts like a jail for the process.  For example, if you are starting a webserver from /var/www/, then all filesystem accesses are limited to this subdirectory and cannot access files/folders outside of this directory.  I believe it is possible to disable this.  However from both a security and organizational standpoint it is not usually wise to do this.

- Check permissions of files you are trying to access.  Most webservers set up or use an already existing user and group by default after installation.  This is usually www:www, but there are exceptions.  After being run, the final binary is then changed to run with these reduced permissions as usually a webserver has to be started by the root user and it is not wise to leave it like this.  This then means that any file the webserver attempts to access is limited by its user:group.  If you set up and move files around as root, and their permissions do not permit world readability, then you may end up with files that the webserver user:group are unable to access and this may be the root of your error.

- Check the output logs; if logging is not enabled, temporarily enable it, or set it up permanently using a limited ramdisk/tmpfs.  The log output will help you greatly when decoding errors as these logs tend to be more verbose.  If you get a hold of some log output I can help you further track down the issue.


You may also wish to find further resources on setting up, running, and maintaining web servers.  Doing so is it's own field of study and is generally outside the scope of our technical support as we are certainly not experts on the area of web servers.

Login or Signup to post a comment