in reply to Perl CGI - Viewing logfiles - Security Issues

Unless I've misunderstood, the problem you have is that your soft-link is underneath the web-root directory.

The logs need to be accessible to the user that your web-server runs under, but that doesn't mean that they need to live inside your web-environment.

Here's an example script that I run on an intranet to allow me to view some log files - note that I cannot browse to these file directly from my browser.

#!/usr/bin/perl
use strict;
use CGI qw(:standard);

my @logs = qw(/var/log/httpd/error_log /var/log/httpd/access_log /var/
+log/mysqld.log);
my $log = $logs[0];
$log = $logs[param('log')] if param('log') =~ /1|2/;

print header();
print start_html(-title=>$log);
print '<pre>';
open(LOG, $log)||warn "cannot open $log: $!\n";
print while(<LOG>);
print '</pre>';
print end_html();

[download]

Note that I cannot just paste "/var/log/httpd/error_log" into my browser and expect it to return anything...

map{$a=1-$_/10;map{$d=$a;$e=$b=$_/20-2;map{($d,$e)=(2*$d*$e+$a,$e**2
-$d**2+$b);$c=$d**2+$e**2>4?$d=8:_}1..50;print$c}0..59;print$/}0..20

[download]
Tom Melly, pm@tomandlu.co.uk

Replies are listed 'Best First'.
Re^2: Perl CGI - Viewing logfiles - Security Issues
by Anonymous Monk on Jan 10, 2007 at 17:28 UTC

    You exactly got the issue I have. Your approach will work fine but for one issue bcoz of my requirement.

    I have a softlink to the user directories under /usr/local/apache/htdocs as follows:- 

    wd -> /usr/local/wd/

    [download]

    Then, I build the link using the 'soft link', 'username' & 'log file name' and present it in HTML format.

    One of the requirement is that I show the log files as 'links' in the HTML page so that the user can click and view the file(s), if they want to. Hence, I coded like what I had explained in the original post.

    Is there any way to still have the files as 'links' and also take care of the security issue?

[reply]
[d/l]
      "Is there any way to still have the files as 'links'..."
      You could consider linking to a CGI script similar to Melly's above. You could pass the script a query string identifying the particular log needed.
[reply]

        Thanks Melly and wfsp

        It works fine now without showing the 'softlinks' in the url after I used wfsp's suggestion.

        However, I will have to figure out a way to avoid the 'softlinks' to the user directories in Apache settings, which is still a potential security issue.

[reply]

In Section Seekers of Perl Wisdom