[KLUG Members] cgi file not found
Stu Gillis
members@kalamazoolinux.org
Fri, 14 Sep 2001 11:39:23 -0400
I checked for /bin/sh and lo and behold /bin/sh is a link to /bin/bash hence the bash warning.
I'll have to see if fixing that will solve the problem along with changing the tick marks. Your security issues are well taken and will be addressed but this is a developement server for training behind a firewall with no data, so I'm not overly concerned. I tryed to run the script as root to eliminate permissions as a pssible problem. Bruce suggested fstab as a possible problem, so I'll check that. After lunch :-)
>>> jamie@mccarthy.vg 9/14/2001 11:11:03 AM >>>
The "no such file or directory" also shows up when you try to
execute a script whose bangpath doesn't point to a valid executable
file. I'd expect /bin/sh to be a proper shell. Maybe it got taken
out of your /etc/shells or something stupid like that.
Two things puzzle me about the errors you got. First, it's bash
that complains, not sh. So I don't think /bin/sh actually got
invoked to run your script, so maybe the problem _is_ that /bin/sh
isn't valid. Second, it complains twice, which would suggest to
me that it's trying to run the script and it's something in the
script itself that failed (twice). I'd think that would point to
who, or grep, or something, so maybe your $PATH is broken.
I also think you meant to use backticks here:
ison='who | grep "${1}"'
should be
ison=`who | grep "${1}"`
Also, as someone else pointed out, a shell script is asking for
security holes. Use a language like perl which automatically keeps
track of "tainted" variable contents for you and does a decent job
of keeping you from letting outside data affect your local machine.
(It's not perfect, but, like a firewall, if you're a novice, it's
much better than nothing!)
Finally, two very concrete security warnings. First, this .cgi is
group-writeable and its group appears to be your apache group. If
your apache is running as group 'apache', then if there _are_ any
security holes in your site, it's likely that an attacker can modify
the source of the script itself. This would not be a huge cause for
concern normally... but (this is the second warning) in the snippet
you paste below, you show yourself running this script as root!
There's no reason you should be testing these scripts as root.
For your own safety, you want to "su - someotheruser" and do your
testing with a set of permissions which don't have the potential of
frying your entire machine :)
Stu@trilogyusa.com (Stu Gillis) writes:
> One of our developers is trying to learn cgi. He put this
> pinggeneric file on our linux developement server. If I ssh
> into the server and start konqueror, I see the file, I can
> right click on it and open it in an editor but if I left
> click on it I get a message that the file is not found. This
> is also the message that comes up in the developers browser
> when he tries to run the script. Does anyone know why the
> system can't find a file that is obviously there?
>
> [root@localhost cgi-bin]# ls -l
> total 8
> -rwxrwxr-x 1 root nobody 289 Sep 14 08:17 pinggeneric
> -rwxrwxr-x 1 root apache 289 Sep 6 07:12 pinggeneric.cgi
> [root@localhost cgi-bin]# exec ./pinggeneric
> bash: /var/www/cgi-bin/pinggeneric: No such file or directory
> bash: /var/www/cgi-bin/pinggeneric: No such file or directory
> [root@localhost cgi-bin]# pwd
> /var/www/cgi-bin
> [root@localhost cgi-bin]# cat pinggeneric
> #!/bin/sh
>
> echo Content-type: text/html
> echo
> echo "<HTML><HEAD>"
> echo "<TITLE>Are You There?</TITLE>"
> echo "</HEAD><BODY>"
> ison='who | grep "${1}"'
> if [ ! -z "$ison" ]; then
> echo "<P>$1 is logged in."</P>
> else
> echo "<P>$1 isn't logged in."</P>
> fi
> echo "</BODY></HTML>"
--
Jamie McCarthy
jamie@mccarthy.vg
_______________________________________________
Members mailing list
Members@kalamazoolinux.org