httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Meier <peter.me...@immerda.ch>
Subject [users@httpd] mod_fcgid: running perl scripts with a FCGIWrapper script
Date Fri, 09 Dec 2011 12:08:19 GMT
Hi

Running perl scripts with SuExec and mod_fcgi works fine by using the  
SetHandler fcgid-script Option, as described on [1].

However this has one disadvantage: SuExec requires the scripts to be  
owned by the same user they should run as. From a security point of  
view this is not always what we want, as this potentially allows  
vandalism of the whole hosting, if a script is vulnerable.

So for PHP hostings we do it the following way: Hostings have 2 users  
that share their primary group. One user is for SFTP Access, the other  
one is the user that is used as a SuExec option, let's call it  
"run-user". The FCGIWrapper Script is placed outside of the hosting  
path and owned by the run-user and the shared group. All the scripts  
uploaded by the user are owned by the sftp user. So in general scripts  
can't overwrite themselves - the user needs to specifically enable the  
group to have write access, to allow uploads etc.

This setup is not really possible with the "SetHandler fcgid-script"  
option, as by SuExec rules the script it executes must owned by the  
run-user.

So I tried to implement it the same way as I do it for PHP for perl.  
But I fail to find and/or write a correct FCGIWrapper Script that  
actually works. I found a couple of examples with:

--
#!/bin/sh
exec /usr/bin/perl -w
--

But they all seem to struggle with the same problem I then have:

--
[Thu Dec 08 22:14:53 2011] [warn] [client 127.0.0.1] (104)Connection  
reset by peer: mod_fcgid: error reading data from FastCGI server
[Thu Dec 08 22:14:53 2011] [error] [client 127.0.0.1] Premature end of  
script headers: index.pl
--

I'm not that experienced with perl, fcgi etc. But as far as I  
understood this is because calling directly perl is not really a cgi  
savy way, right? So quite obvious that this fails to work...

Hence my questions: Are there any alternative wrapper scripts around  
that should be used in my case? Is it simply not possible to execute  
perl scripts with mod_fcgid with a FCGIWrapper script? Or how could I  
achieve the same setup, I have for PHP, also for perl?

Thanks for your help!

~pete

[1] https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html#examples

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message