Access Denied.......problem #4

Myfanwy Hawley Myfanwy.Hawley at alphawest.com.au
Tue Jul 21 02:58:52 PDT 1998 

Thanks Ivan,

I now have some ideas for getting around this.

Creditcard.pm? Well I did have the file and I put it in
/usr/local/lib/perl5/site_perl/Business/ but it won't find it. So I have put
it in all the other locations that cust_main.cgi looks for and it still
won't find it. Help me!!!!

Myfanwy Hawley
Internet Services Engineer

For Comswest Internet HelpDesk call 1800 647 716
----------------------------------------------------------------------
Comswest Internet Services
(Services formerly provided by AlphaWest)
http://www.alphawest.net.au
----------------------------------------------------------------------



> -----Original Message-----
> From: Ivan Kohler [mailto:ivan at sisd.com]
> Sent: Tuesday, 21 July 1998 17:28
> To: Myfanwy Hawley
> Cc: 'Freeside List'
> Subject: Re: Access Denied.......problem #4
> 
> 
> Most all UNIX implementations have been historically vulnerable to a
> symlink security problem parsing the bang line 
> (#!/usr/bin/some/program) 
> in setuid scripts.  I believe some still are.  If your 
> operating system
> falls in this category then no setuid scripts are safe and you should
> avoid using setuid scripts of any sort and wrap the .cgi programs in
> htdocs/ using a program such as `wrapsuid' from the Perl 
> distribution.  
> 
> Some OS's disable setuid scripting, or have an option for 
> doing so.  Perl
> provides setuid emulation via taintperl on these operating systems.
> 
> Lastly, some operating systems provide secure setuid 
> scripting.  If this
> is the case, it is possible that Perl failed to detect this 
> when it was
> compiled.
> 
> You should avoid setuid _shell_ scripts (#!/bin/sh, 
> #!/bin/bash, etc.),
> which are difficult if not impossible to write securely, even 
> if setuid
> scripts in general are secure on your operating system. 
> 
> Business::CreditCard from CPAN should be in the documentation.
> File::CounterFile, however, is missing.  Sorry about that.
> 
> On Tue, 21 Jul 1998, Myfanwy Hawley wrote:
> 
> > Hi,
> > 
> > Scene so far: setting up freeside with mysql, everything 
> compiled and seemed
> > ok. So we went to our Freeside web page to start doing 
> stuff and came to a
> > screeching halt.
> > 
> > well after getting over the .htaccess problem we are now 
> getting when trying
> > to put in a New customer:
> > Forbidden
> > You don't have permission to access /edit/cust_main.cgi on 
> this server.
> > (Similar error for all other cgi scripts)
> > 
> > Now firstly it seemed to be a cgi problem as we are running 
> script aliases
> > in Apache for this, so I put in the folloing lines in srm.conf:
> > ScriptAlias /cgi-bin/ /usr/local/etc/httpd/cgi-bin/
> > ScriptAlias /freeside-browse-cgi-bin/ 
> /usr/local/etc/httpd/htdocs/browse/
> > ScriptAlias /freeside-edit-cgi-bin/ 
> /usr/local/etc/httpd/htdocs/edit/
> > ScriptAlias /freeside-misc-cgi-bin/ 
> /usr/local/etc/httpd/htdocs/misc/
> > ScriptAlias /freeside-search-cgi-bin/ 
> /usr/local/etc/httpd/htdocs/search/
> > ScriptAlias /freeside-view-cgi-bin/ 
> /usr/local/etc/httpd/htdocs/view/
> > 
> > But I was still getting the above error. So I tried running 
> the .cgi from a
> > command line and got "You haven't disabled setID scripts in 
> kernel yet. Fix
> > this or c wrap" (that's not quite what it said but its the gist).
> > So...stumped again and not wanting to upset the kernel (if 
> it aint broke
> > don't touch it!!)....so I set about and created a chmod 755 
> cust_main.cgi
> > then created a 4755 cust_main.sh and:
> > #! /bin/sh
> > /usr/local/etc/httpd/htdocs/edit/cust_main.cgi
> > This got around the setID problem. Now this allowed me to 
> run one of the
> > other cgi scripts at command line, so I really wanted to 
> test with cust_main
> > and when I tried to then run it from the command line it 
> runs but.....can't
> > find Creditcard.pm. It tells me where it can't find the file but its
> > there!!!!!!
> > 
> > So can any give light to
> > A. What is causing the forbidden error
> > B. Whay can't cust_main.cgi find CreditCard.pm
> > C. Is there an easy fix for the SetID problem.
> > 
> > Myfanwy Hawley
> > Internet Services Engineer
> > 
> > For Comswest Internet HelpDesk call 1800 647 716
> > 
> ----------------------------------------------------------------------
> > Comswest Internet Services
> > (Services formerly provided by AlphaWest)
> > http://www.alphawest.net.au
> > 
> ----------------------------------------------------------------------
> > 
> > 
> > 
> 
> -- 
> Ivan Kohler <ivan at sisd.com> - finger for PGP key
> Silicon Interactive Software Design - http://www.sisd.com/
> Open-source billing and administration for ISPs - 
http://www.sisd.com/freeside
20 4,16 * * * saytime # consciousness is the missing symmetry

More information about the freeside-users mailing list