in reply to Structuring a Web site and security issues

I've been using CGIwrap for years (probably ~8 now)...

1. I don't think your 'use lib' line is correct. It tells the script to go up a directory, and to try to go up what looks to be the URL path... which are not directories.

On shared systems, I keep my modules in my home directory, and might have a path like '/users/username/lib/perl5/' or similar. (it's outside of the directory that has my CGI scripts, and there's no 'cgiwrap' involved, as that's typically an executable). The folks at the hosting ISP should be able to help you.

2. I keep it in a file w/out group/world read permissions, outside of any location being served by the webserver (which may be in a perl module, as I don't keep those in a servable location). I don't tend to encrypt them, as the decryption routines (and the necessary seed) are all accessible from the machine, so it's just extra work for me to maintain, with little added security (but see answer to #3)

3. I don't believe there is such a thing as 'best practice'. You have to evaluate each situation differently, and determine what the potential benefits and risks are.

Now -- for the comments about CGIwrap itself ... yes, it adds a little overhead to a plain CGI call, so there are tradeoffs. (and it's much slower than mod_perl, or fastCGI). As for the security issues, the ones I know about are not from the main CGIwrap distribution -- they're from a modified version of CGIwrap that was shipped w/ Cobalt Raq servers. (later bought by Sun). There was a more recent report of a format string vulnerability about 2 years ago, but it was unsubstantiated. As with any tool, there are possibilities of misconfiguration (don't allow cgiwrapd to be called from remote subnets)...

The only thing I can think of that might be an issue is the error messages that CGIwrap throws when you have your system mis-configured (ie, it telling you that permissions are wrong, etc), might leak a little too much info to the outside world.)

  • Comment on Re: Structuring a Web site and security issues

Replies are listed 'Best First'.
Re^2: Structuring a Web site and security issues
by bradcathey (Prior) on Dec 26, 2005 at 18:24 UTC

    Well, I just found out from Pair that I can't call a CGIwrapped module from my own script. So, I'm outta luck there.

    I'm leaning towards placing my instance scripts in a directory on the web side, but having them call my modules located in a directory in my home. For now, until I look at tirwhan's aforementioned piping scheme, I'm thinking of just keeping my config files in the same directory, because I can at least set it to 701.


    —Brad
    "The important work of moving the world forward does not wait to be done by perfect men." George Eliot
[reply]

      I've also been using cgiwrap for a long time, and I loooove it.

      The idea of a cgiwrapped module doesn't really make sense. You need to launch your script with cgiwrap, then it will load your modules and you'll be happy.

      Instead of making your application and trying to figure out CGIwrap with it, make a few really simple scripts that test the functionality of CGIwrap. Then, once you've figured out CGIwrap, tackle your application.

      Here's what I'd recommend.

      Step 1) Make a really dopey whoami script.. 

      #! /usr/bin/perl -w -T
print $<;

      [download]

      I don't know if that will actually work. You might have to make it generate HTML tags, headers, etc... The important part is that it's a really simple script that only does one thing, which is print your UID.

      Step 2) Make a similarly dopey script that reads your config file. Maybe even a shell script, like this: 

      #! /bin/bash
cat /home/me/myfiles/.config

      [download]

      When you're making the whoami script work, you might struggle with CGIwrap's funny URL convention. Make sure you understand it before you go any further. For example:

      If you have a script at /home/me/myfiles/cgi-bin/woot.pl

      You'd have to call it as http://myserver/cgi-bin/cgiwrap/me/woot.pl

      Your ISP can customise that, and they might even set up helpers to make it easier... Just make sure you understand it.

      Good Luck

      --Pileofrogs

[reply]
[d/l]
[select]
        The idea of a cgiwrapped module doesn't really make sense. You need to launch your script with cgiwrap, then it will load your modules and you'll be happy.

        Bing Bing Bing! Light goes on. Thanks!


        —Brad
        "The important work of moving the world forward does not wait to be done by perfect men." George Eliot
[reply]

In Section Seekers of Perl Wisdom