Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

permissions and apache

by cidaris (Friar)
on Jul 30, 2002 at 18:41 UTC ( #186299=perlquestion: print w/replies, xml ) Need Help??

cidaris has asked for the wisdom of the Perl Monks concerning the following question:

Hello monks,

I'm attempting to auto-generate my site. I've written the program necessary to do what needs to happen, now I want to run it from the web.

Originally, I did this by having a call to
system ("/whatever/cgi-bin/", $argument)
from another program, which worked OK, except the script called needs to generate output to the htdocs folder.
Since it was technically 'nobody' running the script (Apache) it didn't have permission to write to htdocs. Very briefly, I changed the permissions of the htdocs folder to be owned by nobody/nogroup and 777 permissions, but realized this was probably the worst idea ever.
Someone pointed me towards CGIWrap, but I don't think I'm doing it quite right.

I know I'm opening up a big can of worms with the whole setgid and setuid issues, so I was hoping someone could point me in the right direction?

Thanks again,

Replies are listed 'Best First'.
Re: permissions and apache
by chromatic (Archbishop) on Jul 30, 2002 at 19:41 UTC

    Write a little cron job that looks for a flag somewhere and then regenerates your site. You can store the flag in a database, a DBM file, or a temporary file in a directory that you make writable. I'm leery of changing write permissions, especially to 777.

Re: permissions and apache
by Cine (Friar) on Jul 30, 2002 at 19:48 UTC
    I personnally use sudo for those kind of things.

    T I M T O W T D I
Re: (newrisedesigns) permissions and apache
by newrisedesigns (Curate) on Jul 31, 2002 at 02:51 UTC

    Why are you auto-generating your site?

    If it's to restore from some sort of backup (unlikely), you should use some form of FTP method to backup/restore files.

    More than likely, you probably run this to generate some sort of custom HTML. Exactly what, I don't know.

    I'd like to suggest generating your website on the fly using a healthy dose of SSI and Perl. It's always fresh, always live, and no messy setuid to worry about.

    If this is not the case, perhaps you could elaborate on your problem, and we'd love to help.

    John J Reiser

      Perhaps some elaboration...
      Currently, the website updates itself every night at midnight thru cron. My site isn't just a "hi, I'm cidaris, this is a 3MB bmp of my dog".
      Every day, there is between 30 and 100 new pieces of content to add, and the HTML must be generated for it.
      Think of a high-end porn site, without the pictures. Stock photo kind of stuff.
      Lots of content, fairly organizational.
      Lately, I've been aching for some customization. I built a MySQL database to house all the variable info, like table schemes, color schemes, individual images, applicable holidays, etc.
      I know this is just screaming "use a templating system!" but I didn't.
      The program is done, I just want to run it from the web now, instead of in cron.
      I want my admins to be able to go to a page, specify with radio buttons all the options they want, and click 'Go' and the program builds them a site.
      So, as is, a script which people call from the web lets them select all these options, change info, update the database, etc.
      Once they hit submit on the final "OK, we're all done" page, it calls the site generation program with a single argument, the primary key for the appropriate database table.

      The problem is that since the generator program is writing pages in the /htdocs/ folder, it must have better permissions than 'nobody'.
      But since Apache (which I've set to run as 'nobody' in accordance with nearly every security discussion agrees on) calls it, it now has 'nobody' permissions and hence, cannot write to htdocs.

      I have looked into sudo, and it's looking like that may be the solution. Originally, someone pointed me to CGIWrap, but it's documentation is somewhat sparse.

      So, like all (s/wise/lazy/) men, I thought to inquire before I embarked on some large, 3rd party-heavy solution.

      Hopefully, I can find some answers.
        OK, I've made significant progress with a lot of reading.
        I have learned more than I wanted to know about the whole setuid issue, and have written a C++ wrapper to call the script and pass the command-line issues. I then gave the C++ program more appropriate access permissions.
        I then went through and did all the necessary sanity-checking and untainting of the various data.
        I then got to my favorite part of any coding process, debugging!
        After several failed attempts, I got
        "su -c './perl_run Build' nobody"
        to work correctly.
        Thinking I was all but done, I included the system call to the script my $results = system("/usr/local/bin/perl/perl_run", $directive); in my CGI program. Before untainting, I would get -1 for results, which I expected, as it didn't work at that time.

        However, now I'm getting 256 (which I believe is actually '1' for success) but here's the catch:
        The program isn't running, the site isn't changing, and I'm about to call it quits in favor of a few tall mugs of Newcastle.

        Any thoughts?

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://186299]
Approved by dws
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (2)
As of 2023-06-07 05:48 GMT
Find Nodes?
    Voting Booth?
    How often do you go to conferences?

    Results (29 votes). Check out past polls.