Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

CGI script cannot create file.

by Anonymous Monk
on Dec 18, 2012 at 08:31 UTC ( [id://1009308]=perlquestion: print w/replies, xml ) Need Help??

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Greetings Monks, I'm developing a group of perl scripts that basically walk a user through setting up a website using flat file databases. (MySQL will come later) The basic command line scripts work just fine, but when I run it all through a web server, the script cannot open(FILE, ">MyFile"); My suspicion is that the script does not have permissions to create files when called by the web server. I think I need to know how to have perl use sudo, but I may be completely off course. Ether way, I can't seem to get it to work. I've been looking all day and have not had any luck in finding the solution to this problem. Any and all help is appreciated, and thank you!

... sub WebPassWrite { my $Pass = shift; open(PAS, ">hf"); print PAS $Pass; close(PAS); my $HTML =""; $HTML .= "Password Stored<br><div class=\"MenuItem\" " ."onclick=\"SetupPassCheck(['Page'],['Title','Content'])\">" ."Continue</div>"; return $HTML; } ...

Replies are listed 'Best First'.
Re: CGI script cannot create file.
by Utilitarian (Vicar) on Dec 18, 2012 at 08:55 UTC
    As our anonymous monk above says, if you want to know what happened, you really should ensure you log it. using an or die clause with every open ensures you know where you failed.

    As to using sudo in a CGI script DO NOT DO THAT set up a directory that the nobody user (or whatever uid your web server runs under) has write access to.

    Hope that helps

    print "Good ",qw(night morning afternoon evening)[(localtime)[2]/6]," fellow monks."
Re: CGI script cannot create file.
by Anonymous Monk on Dec 18, 2012 at 08:37 UTC

    My suspicion is

    The great thing about computers is you don't have to suspect most of the time, you can know,

    open ... or die Fudge("open($file)"); sub Fudge { use Errno(); join qq/\n/, "Error @_", map { " $_" } int( $! ) . q/ / . $!, int( $^E ) . q/ / . $^E, grep( { $!{$_} } keys %! ), q/ /; }
      Alright, heres what I get in the log file
      Problem with code: Error open(PAS, '>hf'), 13 Permission denied, 13 Pe +rmission denied, EACCES
      So it does look like a permission issue, Is there a way to resolve this? Preferably a way that doesn't require my user to do anything (all done with beautiful perl)?
        Well, you could run the following at the command prompt as your user, it does use Perl after all ;)
        perl -e ' $apache = qx(ps -ef | grep httpd); @fields=split /\s+/, $apa +che; exec ("chown $fields[0] /path/to/flat/file/directory");'
        However setting up a directory with write permission for the uid of the web service directly makes more sense from a certainty of action and security perspective

        print "Good ",qw(night morning afternoon evening)[(localtime)[2]/6]," fellow monks."
Re: CGI script cannot create file.
by bart (Canon) on Dec 18, 2012 at 11:28 UTC
    Are you really trying to store a password in a text file accessible through the internet, by anybody who knows the name of the file, with an ordinary browser? Please don't do that.

    Store your file somewhere else, somewhere outside of the website space. And while you're at it, make it a directory where the apache user has write access to.

Re: CGI script cannot create file.
by GrandFather (Saint) on Dec 18, 2012 at 21:31 UTC

    Actually, don't store passwords at all. Instead store a hash of the salted password (md5 is ok, but see http://crackstation.net/hashing-security.htm) then match the password hash against the hash of the entered salted password. And then use the security tips offered above for storing the password hashes.

    True laziness is hard work
Re: CGI script cannot create file.
by blue_cowdawg (Monsignor) on Dec 18, 2012 at 15:05 UTC
        My suspicion is that the script does not have permissions to create files

    # somewhere in the main part of the script use CGI qw/ fatalsToBrowser /; use CGI::Carp; ... sub WebPassWrite { ... mumble open PAS,"> hf" or die $!; #Always catch errors!!! }

    You'll notice I've added the die $!; to your open statement. This eliminates some of the guesswork and worst case will emit to your servers's log files some form of error that you can use to determine what happened.

    More commentary: Most web servers (Apache, IPlanet, whatever the hell Microsoft publishes these days) run CGI scripts as a restricted or trivial user. Some common userids under *nix that this happens as are as follows:

    • httpd (trivial user)
    • apache (trivial user)
    • nobody (restricted user)
    • nofiles <restricted users)
    In some rare cases (hosting providers for instance) run either a web instance with the userid of the "owner" or CGI as the "owner" or both. In that event make sure your are writing the file to someplace under your home directory.

    I am not a big fan of using relative paths when opening a file for writing. There exists a danger that you end up writing the file someplace you don't expect. For instance if you CGI script is running as yourself (rare occasion) but the current working directory the script is running at is somewhere you don't have write access your code is going to bomb.

    Lastly... I'm not sure what you are trying to accomplish here. Writing passwords to a file has attendant dangers. Make sure the permission bits on the file are restrictive enough to prevent prying eyes for looking at it. Having a CGI script write those passwords is an even worse idea. Gives hackers something to shoot at.


    Peter L. Berghold -- Unix Professional
    Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg
      First off, thank you all for being so helpful.
      I'm still unsure about how to go about writing a file from a "setup" CGI script. I've tried everything I can find. I think I just don't understand the concept as deeply as I should.

      What I'm trying to accomplish is this:
      A Web setup that writes several files, and asks the user if input for these files. This setup only runs if the files it writes do not currently exist. Its suposed to create the following files:

      hf (My "password" file which as councled by many of you will be changed to store as a salted hash.)

      .Site (this file contains the Site name, the meta tags, and a list of pages belonging to the site)

      Home.Page (An initial .Page file so that the index.pl has something to load.)

      .Menu (a list of pages that should have a link on the main menu)

      The person I'm creating this for is not tech savvy, and wants an extremely easy (Visual) way to update they're website. They are using IPower wich does not allow ssh (At least not for this particular Account) so I do not have the choice of running the scripts as the user. If there is any way to have a perl script login as the user who's home directory it has been copied to, that is what I really need to know.

      Again thank you all for providing me with so much good info. I will defiantly be making use of the Hashing security info. And have already implemented the error checking now.
            If there is any way to have a perl script login as the user who's home directory it has been copied to, that is what I really need to know.

        That is entirely out of the purview of Perl. You need to work with the web server administrator to set this up. Since I don't know which web server package is in play here I can't even begin to comment on how this is done and I've administered my share of web servers over the years.


        Peter L. Berghold -- Unix Professional
        Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1009308]
Approved by GrandFather
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (5)
As of 2024-03-28 14:22 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found