Proper working with suexec on apache httpd 2.4 - perl

I am trying to run 3 separated domains in one machine, each with its user (through virtual host) so I decided to use suExec for my task (it been also installed along with apache):
Global Server configuration running on "apache" user and group.
The conficuration of one of the users (the one I am trying to access with):
listen 9999
<VirtualHost *:9999>
ServerName *:9999
DocumentRoot "/home/efpanel/public_html"
ErrorLog "/home/efpanel/err.log"
<IfModule suexec_module>
# SuexecUserGroup efpanel efpanel
</IfModule>
# Directory settings...
...
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/home/efpanel/public_html/cgi-bin/"
</IfModule>
</VirtualHost>
The issue:
When the line of the SuexecUserGroup is commented, running perl script will be on user "apache" - not what I want, but at least run.
HOWEVER: If I uncomment this line, even simple perl script will fail with error 500 (internal server error). Checking the log file, the error I get there is:
[Sat Dec 21 01:34:56.274872 2019] [cgi:error] [pid 31211] [client 183.28.7.14:7262] End of script output before headers: test.cgi, referer: http://99.99.99.99:9999/
Notes:
1) mod_suexec is installed and enabled (the below is the result of "ls -l /usr/sbin | grep suexec"):
-r-x--x--- 1 root apache 15440 Aug 8 07:42 suexec
2) I am running Apache 2.4 httpd on CentOS 7, CGI written in PERL.
3) I am aware that suEXEC only work on script files, but is enough for me - if I make it somehow to work.
4) Checking the configuration values, I cannot determine where is the suexec log file, and was unable to find it by "find / suexec.log" command. The configuration values are as follows (seems standard):
[root#vps cgi-bin]# suexec -V
-D AP_DOC_ROOT="/var/www"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_SYSLOG
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX="public_html"
My only concern here is the "DOC_ROOT" which is "/var/www" and has anything common with "/home/efpanel" - but: a) I have no idea how to reconfigure suexec after it been compiled, b) I don't think it is that necessary, maybe it is ok "as is"?
5) cgi script, cgi-bin directory, public_html directory and /home/efpanel directory are all belong to the same user and group (efpanel) and has access permit of 0755, except "/home/efpanel" that has 0711 access permit.
6) I have tried to add "-w" in the first line of the script, as suggested here:
#!/usr/bin/perl -w
my $u=(getpwuid $>)[0];
print "ContentType: text/html;\n\n$u";
exit 0;
As it seen, a VERY simple script and fail.

Related

perl matching syntax with mail filter

We have a part of a mail filter that denies emailing system accounts for security purposes. We recently had a user created that ends in "bin". The bin user is restricted, but the user, lets say l.parrbin, gets flagged via the syntax below:
my #sysaccounts = qw(
root bin daemon adm lp sync shutdown halt mail
news uucp operator games gopher ftp nobody nscd
vcsa rpc mailnull smmsp apache pcap ntp dbus
avahi rpcusder nfsnobody sshd haldaemon xfs defang
clamav monit mysql decode webmaster mailer-daemon
nagios
);
foreach $acct(#sysaccounts){
if ($recip =~ /$acct\#/i){
md_syslog('info', 'Sysaccount Discard');
return('REJECT', "We do not accept messages to system accounts ($acct)");
}
}
How would I prevent the above code from returning REJECT if a name ends or starts with a name from the sysaccounts?
Try doing this :
if ($recip =~ /^$acct\#/i){
# ^
In regex, ^ is an anchor meaning beginning of line (string here)

Google sites liberation: Bad Request Invalid request URI

I keep getting
Jul 24, 2014 11:53:15 AM com.google.sites.liberation.export.ContinuousContentFeed?$FeedIterator? catchException WARNING: Error retrieving response from query. com.google.gdata.util.InvalidEntryException?: Bad Request Invalid request URI
at com.google.gdata.client.http.HttpGDataRequest.handleErrorResponse(HttpGDataRequest.java:558) at com.google.gdata.client.http.GoogleGDataRequest.handleErrorResponse(GoogleGDataRequest.java:543) at com.google.gdata.client.http.HttpGDataRequest.checkResponse(HttpGDataRequest.java:536) at com.google.gdata.client.http.HttpGDataRequest.execute(HttpGDataRequest.java:515)
I used (you can use this test account i provide the password here below :) ).
java -jar google-sites-liberation-1.0.4.jar -w https://sites.google.com/site/hmmtestgsl/ -u hmmtestgsl#gmail.com -p aaabbbcccddd -f ./backup
and I changed the main in MANIFEST.MF to: Main-Class: com.google.sites.liberation.export.Main so that I can run it from command line.
Using
-w hmmtestgsl
instead of
-w https://sites.google.com/site/hmmtestgsl/
fixed it.

Where to find logs for a cloud-init user-data script?

I'm initializing spot instances running a derivative of the standard Ubuntu 13.04 AMI by pasting a shell script into the user-data field.
This works. The script runs. But it's difficult to debug because I can't figure out where the output of the script is being logged, if anywhere.
I've looked in /var/log/cloud-init.log, which seems to contain a bunch of stuff that would be relevant to debugging cloud-init, itself, but nothing about my script. I grepped in /var/log and found nothing.
Is there something special I have to do to turn logging on?
The default location for cloud init user data is already /var/log/cloud-init-output.log, in AWS, DigitalOcean and most other cloud providers. You don't need to set up any additional logging to see the output.
You could create a cloud-config file (with "#cloud-config" at the top) for your userdata, use runcmd to call the script, and then enable output logging like this:
output: {all: '| tee -a /var/log/cloud-init-output.log'}
so I tried to replicate your problem. Usually I work in Cloud Config and therefore I just created a simple test user-data script like this:
#!/bin/sh
echo "Hello World. The time is now $(date -R)!" | tee /root/output.txt
echo "I am out of the output file...somewhere?"
yum search git # just for fun
ls
exit 0
Notice that, with CloudInit shell scripts, the user-data "will be executed at rc.local-like level during first boot. rc.local-like means 'very late in the boot sequence'"
After logging in into my instance (a Scientific Linux machine) I first went to /var/log/boot.log and there I found:
Hello World. The time is now Wed, 11 Sep 2013 10:21:37 +0200! I am
out of the file. Log file somewhere? Loaded plugins: changelog,
kernel-module, priorities, protectbase, security,
: tsflags, versionlock 126 packages excluded due to repository priority protections 9 packages excluded due to repository
protections ^Mepel/pkgtags
| 581 kB 00:00
=============================== N/S Matched: git =============================== ^[[1mGit^[[0;10mPython.noarch : Python ^[[1mGit^[[0;10m Library c^[[1mgit^[[0;10m.x86_64 : A fast web
interface for ^[[1mgit^[[0;10m
...
... (more yum search output)
...
bin etc lib lost+found mnt proc sbin srv tmp var
boot dev home lib64 media opt root selinux sys usr
(other unrelated stuff)
So, as you can see, my script ran and was rightly logged.
Also, as expected, I had my forced log 'output.txt' in /root/output.txt with the content:
Hello World. The time is now Wed, 11 Sep 2013 10:21:37 +0200!
So...I am not really sure what is happening in you script.
Make sure you're exiting the script with
exit 0 #or some other code
If it still doesn't work, you should provide more info, like your script, your boot.log, your /etc/rc.local, and your cloudinit.log.
btw: what is your cloudinit version?

How to configure Perl/FCGI (FastCGI) with IIS 7.5?

I'm trying to get Perl/FastCGI (FCGI) running with IIS 7.5. The version of C:\Windows\System32\inetsrv\iisfcgi.dll is 7.5.7601.17514. Here's my web.config and my Perl script:
D:\MiLu\Dev :: more /t1 web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<directoryBrowse enabled="true" />
<handlers>
<add name="FCGI" path="*.pl" verb="*"
modules="FastCgiModule"
scriptProcessor="C:\Opt\Cygwin\bin\perl.exe"
resourceType="Unspecified" requireAccess="Script" />
</handlers>
</system.webServer>
</configuration>
D:\MiLu\Dev :: more /t4 Perl\fcgi\count.pl
use strict;
use warnings;
use FCGI;
my $count = 0;
my $request = FCGI::Request();
while ( $request->Accept >= 0 ) {
print "Content-type: text/html\r\n\r\n", ++$count;
}
All I'm getting is a 500 with a generic error page from IIS stating "The FastCGI process exited unexpectedly" and listing possible error causes.
The script runs fine from the command line, printing its three lines and then exiting immediately, indicating that script and module installation are alright. (I copied it from the FCGI manual, by the way, so it should be okay.)
D:\MiLu\Dev :: C:\Opt\Cygwin\bin\perl.exe Perl\fcgi\count.pl
Content-type: text/html
1
There is an FCGI::IIS module, however, it appears to have worked only for IIS 5.1 and 6.0.
FastCGI and Perl - FastCGI with Perl on IIS 5.1, 6
IIS and FastCGI/Scripting languages/Perl
The fact that there is a dedicated FCGI module for IIS suggests that IIS 5.1 and 6.0 provided their own non-standard FCGI implementation. So if this were true, what about IIS 7.5 then? Quite a lot of uncertainties.
The author of FCGI::IIS seems to have tried to make his module work with IIS 7.0 (Getting Perl working on IIS7 with FastCGI - 2007), but given up.
Where can I find something more concrete as to what the error is? Is there a log file? What should I be looking for in the Windows event viewer (eventvwr)?
Is there some magic incantation for IIS that I'm missing?
There's not much information out there on this combination. But it might work, in the end. There is a FastCGI Application configuration reference page here, and someone has got Catalyst to work with FastCGI on IIS 7.0 (Catalyst+IIS 7.0 on MS Windows 2008/Vista).
I've not done this for a while, and never with Cygwin.
In order to test this could you please download and install the latest active state perl for your architecture and try installing/configuring as below:
http://legacy.websitepanel.net/kb/installing-and-running-active-perl-runtime-as-isapi-on-microsoft-iis-7.0
Another reference:
http://blogs.iis.net/wadeh/archive/2009/04/13/running-perl-on-iis-7.aspx
Good luck.
I've just come across this. A lot of the links you reference are mine. At the time I was writing those guide FastCGI for IIS was brand new, and the Vista version wasn't out yet. Unfortunately due to work I ended up on other projects and didn't get chance to continue with the guides once the Vista (IIS 7) version came out.
I've only just come to a project that needs this again, and in searching for a solution myself I came across your post. I've done some testing and managed to find a solution.
FastCGI works fundamentally differently on Windows to what it does on Linux. It's not just with the IIS version, but with the Apache version as well.
On Linux you can set FastCGI as the handler, and the shebang for the script will be enough to point it to Perl and do the right thing (as long as you've coded your script for FCGI or CGI::Fast).
On Windows you need to specify the FastCGI script you want to be invoked with the handler:
IIS 7:
IIS Manager -> Sites -> Web site -> Handler Mappings -> Add Module Mapping...
Request Path: test_script.fcgi
Module: FastCgiModule
Executable: c:\perl\bin\perl.exe|c:\inetpub\wwwroot\test_script.fcgi
Name: Test FCGI example
Click OK then select to add the FastCGI application. If you check the FastCGI settings for the server you'll need that the part after the | is set as the arguments to the executable (Perl).
Restart the server (not just the website). It should be working. Unfortunately, if you want to use this technique you'll need to add a mapping for each script. The FCGI::IIS module tried to work around this issue, but it has a lot of Caveats and isn't finished.
Apache
I tested this on WAMP by copying the mod_fcgid.so file to the appropriate directory, and updating httpd.conf:
<IfModule fcgid_module>
FcgidInitialEnv PATH "C:/WINDOWS/system32;C:/WINDOWS;C:/WINDOWS/System32/Wbem;C:/Perl/bin"
FcgidInitialEnv SystemRoot "C:/Windows"
FcgidInitialEnv SystemDrive "C:"
FcgidInitialEnv TEMP "C:/WINDOWS/Temp"
FcgidInitialEnv TMP "C:/WINDOWS/Temp"
FcgidInitialEnv windir "C:/WINDOWS"
FcgidIOTimeout 64
FcgidConnectTimeout 16
FcgidMaxRequestsPerProcess 1000
FcgidMaxProcesses 1
FcgidMaxRequestLen 8131072
<Files ~ "\test_script.fcgi$">
Options Indexes FollowSymLinks ExecCGI
AddHandler fcgid-script .fcgi
FcgidWrapper "C:/Perl/bin/perl.exe c:/wamp/www/test_script.fcgi" .fcgi
</Files>
</IfModule>
I hope that helps anyone facing the same issues as you.
Lyle

Why does my simple fastCGI Perl script fail?

I'm not of the Perl world, so some of this is new to me. I'm running Ubuntu Hardy LTS with apache2 and mod_fcgid packages installed. I'd like to get MT4 running under fcgid rather than mod-cgi (it seems to run OK with plain-old CGI).
I can't seem to get even a simple Perl script to run under fcgid. I created a simple "Hello World" app and included the code from this previous question to test if FCGI is running.
I named my script HelloWorld.fcgi (currently fcgid is set to handle .fcgi files only). Code:
#!/usr/bin/perl
use FCGI;
print "Content-type: text/html\n\n";
print "Hello world.\n\n";
my $request = FCGI::Request();
if ( $request->IsFastCGI ) {
print "we're running under FastCGI!\n";
} else {
print "plain old boring CGI\n";
}
When run from the command line, it prints "plain old boring..." When invoked via an http request to apache, I get a 500 Internal Server error and the output of the script is printed to the Apache error log:
Content-type: text/html
Hello world.
we're running under FastCGI!
[Wed Dec 03 22:26:19 2008] [warn] (104)Connection reset by peer: mod_fcgid: read data from fastcgi server error.
[Wed Dec 03 22:26:19 2008] [error] [client 70.23.221.171] Premature end of script headers: HelloWorld.fcgi
[Wed Dec 03 22:26:25 2008] [notice] mod_fcgid: process /www/mt/HelloWorld.fcgi(14189) exit(communication error), terminated by calling exit(), return code: 0
When I run the .cgi version of the same code, it works fine. Any idea why the output of the script is going to the error log? Apache config is the default mod_fcgid config plus, in a VirtualHost directive:
ServerName test1.example.com
DocumentRoot /www/example
<Directory /www/example>
AllowOverride None
AddHandler cgi-script .cgi
AddHandler fcgid-script .fcgi
Options +ExecCGI +Includes +FollowSymLinks
</Directory>
The problem is that the "Content-Type" header is sent outside of the request loop. You must print the "Content-Type" header for every request. If you move
print "Content-type: text/html\n\n";
to the top of the request loop it should fix the problem.
Also, you need to loop over the requests or you'll get no benefit, so following the first poster's example:
my $request = FCGI::Request();
while($request->Accept() >= 0) {
print("Content-type: text/html\n\n");
}
I use CGI::Fast more than FCGI, but the idea is the same, I think. The goal of fast cgi is to load the program once, and iterate in a loop for every request.
FCGI's man page says :
use FCGI;
my $count = 0;
my $request = FCGI::Request();
while($request->Accept() >= 0) {
print("Content-type: text/html\r\n\r\n", ++$count);
}
Which means, you have to Accept the request before being able to print anything back to the browser.
Movable Type uses CGI::Fast for FastCGI. The typical FastCGI script runs in a loop, as mat described. A loop that uses CGI::Fast would look like this:
#!/usr/bin/perl
use strict;
use CGI::Fast;
my $count = 0;
while (my $q = CGI::Fast->new) {
print("Content-Type: text/plain\n\n");
print("Process ID: $$; Count is: " . ++$count);
}
I tested this script on a server with the FCGI and CGI::Fast modules installed and count increments as you'd expect. If the process id changes, count will go back to 1 and then increment within that process. Each process has it's own variable space of course.
For MT, enabling FastCGI a matter of renaming (or symlinking) the cgi scripts to 'fcgi' (or making the handler for 'cgi' scripts fcgid, but that won't work for mt-xmlrpc.cgi which isn't FastCGI friendly yet). You'll also need to add some directives to your mt-config.cgi file so that it knows the new script names. Like this:
AdminScript mt.fcgi
CommentsScript mt-comments.fcgi
And so forth. More documentation specific to FastCGI and Movable Type is available on movabletype.org.
Anyway, based on your server's error logs, it looks like FCGI is working, and being invoked properly, but your script just isn't running in a loop, waiting for the next request to come along. So your test script did accomplish the task -- reporting whether FastCGI is configured or not. So now you should be able to reconfigure MT to use FastCGI.