Loading ...
Sorry, an error occurred while loading the content.

Re: mod_perl File Extension Configuration instead of a Path Configuration

Expand Messages
  • JupiterHost.Net
    ... Excellent thanks! ... If they only have access to /home/user it would be cool right? IE: it would be just as dangerouse as running a regular perl or shell
    Message 1 of 11 , May 3, 2004
    • 0 Attachment
      petersm wrote:

      > If you want to do something like this ... every file ending in .pl is run as
      > an Apache::Registry (mod_perl 1) script you could do something like this in
      > your httpd.conf
      >
      > [snip]
      >
      > PerlModule Apache::Registry
      > AddHandler perl-script .mpl
      > PerlHandler Apache::Registry
      >
      > [/snip]

      Excellent thanks!

      > This kind of setup is dangerous if you have users who can put .mpl scripts
      > anywhere inside of the document tree 'cause those scripts will run with the

      If they only have access to /home/user it would be cool right?
      IE: it would be just as dangerouse as running a regular perl or shell or
      OTHER_LANGUAGE_HERE script in their home dir, correct?

      > same permissions that your own scripts run with. If you can control the whole
      > document tree it's not that bad.

      mod_perl scripts are run with the permissions of the user correct?
      IE if Apache its 'nobody' or otherwsie (getpwuid($>))[0]

      > Michael Peters
      > Venzia
      >
      > ---------- Original Message -----------
      > From: "JupiterHost.Net" <mlists@...>
      > To: modperl@...
      > Sent: Mon, 03 May 2004 10:31:56 -0500
      > Subject: Re: mod_perl File Extension Configuration instead of a Path Configuration
      >
      >
      >>Sorry to top post...
      >>
      >>So is it (the subject/original email below) impossible then?
      >>
      >>Or is it possible just not advisable?
      >>
      >>TIA
      >>
      >>JupiterHost.Net wrote:
      >>
      >>>Hello group!
      >>>
      >>>Super mod_perl newbie here :)
      >>>
      >>>I was wondering if its possible to setup mod_perl in httpd.conf with a
      >>>File Extension Configuration instead of a Path Configuration.
      >>>
      >>>IE - everything with the .mpl extension is run under mod_perl instead of
      >>>everything in /perl/ being run under mod_perl...
      >>>Something like:
      >>> AddHandler mod_perl-script .mpl
      >>>
      >>>If it is possible what benefits/problems/issues would there be to think
      >>>about vs a Path configuration?
      >>>
      >>>Where might I find good documentation about how to do this and what
      >>>issues you'd encounter/have to consider (I didn't see anything at
      >>>perl.apache.org... which I'm sure is my fault ;p )?
      >>>
      >>>TIA
      >>>
      >>>Lee.M - JupiterHost.Net
      >>>
      >>>
      >>
      >>--
      >>Report problems: http://perl.apache.org/bugs/
      >>Mail list info: http://perl.apache.org/maillist/modperl.html
      >>List etiquette: http://perl.apache.org/maillist/email-etiquette.html
      >
      > ------- End of Original Message -------
      >
      >
      >
      >

      --
      Report problems: http://perl.apache.org/bugs/
      Mail list info: http://perl.apache.org/maillist/modperl.html
      List etiquette: http://perl.apache.org/maillist/email-etiquette.html
    • Perrin Harkins
      ... [...] ... No, when you run things with mod_perl, they run in the apache server process. They will always have the same permissions as the apache server.
      Message 2 of 11 , May 3, 2004
      • 0 Attachment
        On Mon, 2004-05-03 at 12:39, JupiterHost.Net wrote:
        > IE: it would be just as dangerouse as running a regular perl or shell or
        > OTHER_LANGUAGE_HERE script in their home dir, correct?
        [...]
        > mod_perl scripts are run with the permissions of the user correct?
        > IE if Apache its 'nobody' or otherwsie (getpwuid($>))[0]

        No, when you run things with mod_perl, they run in the apache server
        process. They will always have the same permissions as the apache
        server. It is not safe to run untrusted scripts under mod_perl. (There
        is all kinds of hand-waving about using Safe or something, but the only
        thing I would trust is an entirely separate server running as an
        unprivileged user.)

        More info on configuration options is available here:
        http://perl.apache.org/docs/1.0/guide/config.html

        If you want to just run .pl scripts under specific directories through
        mod_perl, the docs there will tell you how (using a <FilesMatch>
        directive).

        - Perrin


        --
        Report problems: http://perl.apache.org/bugs/
        Mail list info: http://perl.apache.org/maillist/modperl.html
        List etiquette: http://perl.apache.org/maillist/email-etiquette.html
      • dreamwvr@dreamwvr.com
        Hi, I have a handler that currently simply authenticates a user. Then once they are authenticated they are able to run a specific program with diff args living
        Message 3 of 11 , May 3, 2004
        • 0 Attachment
          Hi,
          I have a handler that currently simply authenticates
          a user. Then once they are authenticated they are able to
          run a specific program with diff args living on the server.

          The thing is the program can take from 10 to like 60 seconds
          to complete results.
          This means that:
          page never really loads since it is waiting for
          results that take far too long to get. Just looking for
          other opinions on handling this cleanly.

          TIA,
          dreamwvr@...

          --
          Report problems: http://perl.apache.org/bugs/
          Mail list info: http://perl.apache.org/maillist/modperl.html
          List etiquette: http://perl.apache.org/maillist/email-etiquette.html
        • Perrin Harkins
          ... This is a solved problem. Either fork or use a queue. Randal has a column that shows the forking technique well:
          Message 4 of 11 , May 3, 2004
          • 0 Attachment
            On Mon, 2004-05-03 at 13:23, dreamwvr@... wrote:
            > The thing is the program can take from 10 to like 60 seconds
            > to complete results.
            > This means that:
            > page never really loads since it is waiting for
            > results that take far too long to get. Just looking for
            > other opinions on handling this cleanly.

            This is a solved problem. Either fork or use a queue. Randal has a
            column that shows the forking technique well:

            http://www.stonehenge.com/merlyn/WebTechniques/col20.html

            - Perrin


            --
            Report problems: http://perl.apache.org/bugs/
            Mail list info: http://perl.apache.org/maillist/modperl.html
            List etiquette: http://perl.apache.org/maillist/email-etiquette.html
          • JupiterHost.Net
            Thanks for your input! I really appreciate it! ... So if I did it the .mpl way then /usr/foo/bar.mpl and /usr/foo/baz.mpl will run as nobody (IE untrusted user
            Message 5 of 11 , May 3, 2004
            • 0 Attachment
              Thanks for your input! I really appreciate it!

              Perrin Harkins wrote:
              > On Mon, 2004-05-03 at 12:39, JupiterHost.Net wrote:
              >
              >>IE: it would be just as dangerouse as running a regular perl or shell or
              >>OTHER_LANGUAGE_HERE script in their home dir, correct?
              >
              > [...]
              >
              >>mod_perl scripts are run with the permissions of the user correct?
              >>IE if Apache its 'nobody' or otherwsie (getpwuid($>))[0]
              >
              >
              > No, when you run things with mod_perl, they run in the apache server
              > process. They will always have the same permissions as the apache

              So if I did it the .mpl way then /usr/foo/bar.mpl and /usr/foo/baz.mpl
              will run as nobody (IE untrusted user with less privileges)

              (Regular .pl scripts currently run under suexec which I know mod_perl
              can't do since you can't split up a single process like that, will that
              hiinder mod_perl from running?)

              Which is just as [in]secure as /home/foo/bar.pl ,
              /home/foo/stuff/baz.sh, /home/foo/public_html/luz.py, correct?

              (Maybe more secure since 'nobody' has less privs than 'foo', correct?)

              > server. It is not safe to run untrusted scripts under mod_perl. (There
              > is all kinds of hand-waving about using Safe or something, but the only
              > thing I would trust is an entirely separate server running as an
              > unprivileged user.)
              >
              > More info on configuration options is available here:
              > http://perl.apache.org/docs/1.0/guide/config.html

              I'll definately take a look thanks!

              > If you want to just run .pl scripts under specific directories through
              > mod_perl, the docs there will tell you how (using a <FilesMatch>
              > directive).

              Oh, good idea! then I can limit it to cgi-bin and .mpl... hmmmm excellent :)

              > - Perrin

              --
              Report problems: http://perl.apache.org/bugs/
              Mail list info: http://perl.apache.org/maillist/modperl.html
              List etiquette: http://perl.apache.org/maillist/email-etiquette.html
            • Perrin Harkins
              ... If that s who your server runs as, then yes. The nobody user has the same privileges as any other user the systems I m familiar with. That user
              Message 6 of 11 , May 3, 2004
              • 0 Attachment
                On Mon, 2004-05-03 at 17:24, JupiterHost.Net wrote:
                > So if I did it the .mpl way then /usr/foo/bar.mpl and /usr/foo/baz.mpl
                > will run as nobody (IE untrusted user with less privileges)

                If that's who your server runs as, then yes. The "nobody" user has the
                same privileges as any other user the systems I'm familiar with. That
                user typically has no login, but may have permission to write to certain
                directories, etc.

                > (Regular .pl scripts currently run under suexec which I know mod_perl
                > can't do since you can't split up a single process like that, will that
                > hiinder mod_perl from running?)

                I'm not sure what you're asking. If you add something to your conf to
                make all of your .pl scripts run through mod_perl, they won't run
                through suexec anymore. You would have to keep them as CGI for that to
                work. If you set it up to run some directories through CGI and some
                through mod_perl, that will work fine.

                > Which is just as [in]secure as /home/foo/bar.pl ,
                > /home/foo/stuff/baz.sh, /home/foo/public_html/luz.py, correct?

                Running them under mod_perl is less secure in the sense that anyone can
                write a script that messes around with globals, redefines core perl
                fuctions, etc. and messes up other people's scripts, since they are all
                running in the same interpreter. You really should not run untrusted
                code under mod_perl without isolating it to its own apache server.

                > (Maybe more secure since 'nobody' has less privs than 'foo', correct?)

                Again, "nobody" is just another user.

                - Perrin


                --
                Report problems: http://perl.apache.org/bugs/
                Mail list info: http://perl.apache.org/maillist/modperl.html
                List etiquette: http://perl.apache.org/maillist/email-etiquette.html
              • JupiterHost.Net
                ... cool, gotcha ... That s it exactly :) If .pl run as regular scripts under suexec they ll be run as foo instead of nobody but any mod_perl scripts will
                Message 7 of 11 , May 3, 2004
                • 0 Attachment
                  Perrin Harkins wrote:

                  > On Mon, 2004-05-03 at 17:24, JupiterHost.Net wrote:
                  >
                  >>So if I did it the .mpl way then /usr/foo/bar.mpl and /usr/foo/baz.mpl
                  >>will run as nobody (IE untrusted user with less privileges)
                  >
                  >
                  > If that's who your server runs as, then yes. The "nobody" user has the
                  > same privileges as any other user the systems I'm familiar with. That
                  > user typically has no login, but may have permission to write to certain
                  > directories, etc.

                  cool, gotcha

                  >>(Regular .pl scripts currently run under suexec which I know mod_perl
                  >>can't do since you can't split up a single process like that, will that
                  >>hiinder mod_perl from running?)
                  >
                  >
                  > I'm not sure what you're asking. If you add something to your conf to
                  > make all of your .pl scripts run through mod_perl, they won't run
                  > through suexec anymore. You would have to keep them as CGI for that to
                  > work. If you set it up to run some directories through CGI and some
                  > through mod_perl, that will work fine.

                  That's it exactly :)
                  If .pl run as regular scripts under suexec they'll be run as 'foo'
                  instead of 'nobody' but any mod_perl scripts will be run as 'nobody'
                  but neither will break the other...


                  >>Which is just as [in]secure as /home/foo/bar.pl ,
                  >>/home/foo/stuff/baz.sh, /home/foo/public_html/luz.py, correct?
                  >
                  >
                  > Running them under mod_perl is less secure in the sense that anyone can
                  > write a script that messes around with globals, redefines core perl
                  > fuctions, etc. and messes up other people's scripts, since they are all
                  > running in the same interpreter. You really should not run untrusted
                  > code under mod_perl without isolating it to its own apache server.

                  I see, perhaps I need to look into setting it up to run theri own
                  mod_perl apache so they can shoot them self in the foot instead of others :)

                  >>(Maybe more secure since 'nobody' has less privs than 'foo', correct?)
                  >
                  >
                  > Again, "nobody" is just another user.
                  >
                  > - Perrin

                  Thanks for the great info!

                  --
                  Report problems: http://perl.apache.org/bugs/
                  Mail list info: http://perl.apache.org/maillist/modperl.html
                  List etiquette: http://perl.apache.org/maillist/email-etiquette.html
                • JupiterHost.Net
                  ... Thanks DJ! I did get this earlier: PerlModule Apache::Registry AddHandler perl-script .mpl PerlHandler Apache::Registry so incorporating the 2 it would be:
                  Message 8 of 11 , May 4, 2004
                  • 0 Attachment
                    DJ wrote:
                    > I dont know if this has been answered, since i deleted my email but the
                    > answer is:
                    >
                    > <Files *.mpl>
                    > SetHandler perl-script
                    > PerlHandler Your::Module
                    > </Files>

                    Thanks DJ!

                    I did get this earlier:

                    PerlModule Apache::Registry
                    AddHandler perl-script .mpl
                    PerlHandler Apache::Registry

                    so incorporating the 2 it would be:

                    <Files *.mpl>
                    SetHandler perl-script
                    PerlHandler Apache::Registry
                    </Files>

                    After mod_perl is built as a DSO in Apache?

                    Is either method more preferable?

                    I'd do either in the main config section or in an <IfModule mod_perl.c>
                    section?

                    TIA
                    >

                    --
                    Report problems: http://perl.apache.org/bugs/
                    Mail list info: http://perl.apache.org/maillist/modperl.html
                    List etiquette: http://perl.apache.org/maillist/email-etiquette.html
                  Your message has been successfully submitted and would be delivered to recipients shortly.