glendeni has asked for the wisdom of the Perl Monks concerning the following question:

I'm trying to remotely debug a cgi program running on a remote webserver from my local machine. The remote machine is my dedicated server running CentOS 3, the local machine Ubuntu 10.04, and I have root access to both. My understanding from documentation I've read is that when properly configured I should be able to run the ptkdb debugger on the remote webserver (invoked via a browser) and have the display appear on my local machine for interaction via my local keyboard.

I have the ptkdb debugger installed on the remote machine and know it works since from an X window to the cgi-bin directory on the remote machine via ssh I can run "/usr/bin/perl -d:ptkdb test.cgi" and an X window appears on my local machine with the ptkdb display.

To enable remote debugging from my local machine, I added the following to the remote test.cgi: 

#!/usr/bin/perl -d:ptkdb
sub BEGIN { $ENV{'DISPLAY'} = "local.router+firefall.ip:0.0" ; }

[download]
and then tried running test.cgi using my local machine's browser, expecting an X window to appear on my local machine with the ptkdb display, ala my first paragraph test. However the browser just spins and eventually times out. No /var/log/error_log entry appears.

On my local machine I have run, as both user and root, 

  xhosts webserver.ipnumber webserver.domainname

[download]

If what I am trying to do is possible, as the documentation I've found seems to indicate, then I assume that the problem lies in the firewall behind which my local machine resides, and the need to forward the display to the correct ip behind the firewall. I have in the past been able to successfully ssh into my local machine from outside by altering the Lynksys router/firewall - but for that case I knew what application name and port to specify, as the firewall setup requires, and here I know neither. I've tried using "ptkdb" and "perl" with ports 1-6000 with no success.

Advice would be appreciated (and I suspect would also be appreciated by others seeking to do the same - my google search did not seem to find anything addressing this issue). Or perhaps remotely debugging from behind a firewall in Perl cannot in reality be done.

Replies are listed 'Best First'.
Re: Remote ptkdb behind firewall
by oko1 (Deacon) on Feb 19, 2012 at 04:53 UTC

    Since you have root on the server, try running the script as the same user that owns the server processes ('www-data', 'apache', or 'nobody' are common) and see if you can still connect. If not, then that's where the problem lies. Since you're able to connect when running it from the CLI, the firewall probably doesn't have much to do with it.

    It's also quite likely that your DISPLAY setting is coming too late in the process to matter.

    Update: I just tried it out, for curiosity's sake, and it seems that you -can- set it in a BEGIN block - but you don't have a BEGIN block, you have a subroutine called BEGIN, which isn't the same thing at all. And yes, it's a permissions problem: the 'www-data' user on my machine can't connect to localhost:0.0 either. I'm not going to chase it down, but this seems like it would be a productive avenue for you to follow. :) 

    -- 
I hate storms, but calms undermine my spirits.
 -- Bernard Moitessier, "The Long Way"
[reply]
      but you don't have a BEGIN block, you have a subroutine called BEGIN, which isn't the same thing at all.

      AFAIK, there's no functional difference between a BEGIN block with and without "sub".  The docs say

      "These code blocks can be prefixed with "sub" to give the appearance of a subroutine (although this is not considered good style)."

      Where would you think a functional difference lies?

      As for the OP's problem, the issue presumably is that the www-data user doesn't have a cookie that would allow authentication with the X server.  The fact that it works via a separate ssh connection (with X forwarding) doesn't say much — it is because the ssh server sets up an appropriate DISPLAY/socket and cookie for the connection.  But that cookie can be transferred to a different account, if desired.  For this, list it from within the ssh connection's terminal with xauth. You'd get something like 

      $ xauth list $DISPLAY
somehost.domain.com:10  MIT-MAGIC-COOKIE-1  b412a470ac5605e443cd330f48
+bbc62e

      [download]

      Then switch to the www-data account and run (or run the same command from within the BEGIN block in the CGI) 

      xauth add somehost.domain.com:10 MIT-MAGIC-COOKIE-1 b412a470ac5605e443
+cd330f48bbc62e

      [download]

      and set DISPLAY to somehost.domain.com:10.  This adds the cookie to the user's xauth database file (by default ~/.Xauthority), and hence allows www-data to connect to the X server via the same tunnel that is used by the ssh connection.  Of course, this only works as long as the ssh connection is established (so you should keep it open while debugging).

[reply]
[d/l]
[select]

        AFAIK, there's no functional difference between a BEGIN block with and without "sub".

        Oh - that's a new one on me. :) Thanks!

        As for the OP's problem, the issue presumably is that the www-data user doesn't have a cookie that would allow authentication with the X server.

        Mmm... maybe. Or it might require having the remote X server listen for the connection on 6000+; depends on how 'ptkdb' is written, I would think. Most Linux distros these days run X with the '-nolisten tcp' option, which is quite the pain to disable (I needed to do it a while back, in similar circumstances); at that point, 'xhost hostname' allows communication from the other host, etc. As I'm sure you're aware, though, this has various security implications.

        (Ah, good old X, with its annoyingly-high level of access to root privileges and infuriatingly-arcane protocols. Always such fun. :)

        Update: I just tried it out. On my machines (Ubuntu "Oneiric Ocelot", both ends), setting the cookie didn't help; turning off '-nolisten tcp' and running 'xhost otherhost' popped up that 'ptkdb' window right away.

        Actually, I'm not very happy with that. When I get a little more time (I've got to run off to my boat and do a bunch of maintenance), I'm going to see if I can force it to work in a more reasonable way - i.e., the way you suggested - or figure out how to patch ptkdb so it works with that model, if possible. 

        -- 
I hate storms, but calms undermine my spirits.
 -- Bernard Moitessier, "The Long Way"
[reply]

Back to Seekers of Perl Wisdom