[freeside] signup.cgi problems (says 'not running as freeside user')

imp at justneworleans.com imp at justneworleans.com
Tue Apr 13 22:11:56 PDT 2004 

Hello Ivan,

Thanks for sending me in the right direction.  OpenBSD doesn't have suidperl,
but it does allow, nowadays at least, secure setuid scripts.  With this new
information in hand I was able to solve the initial problem; another, however,
has cropped up.  It might be helpful to later archive scourers to see the steps
I took, so, briefly:

1) /etc/fstab had the /var filesystem (where the script & Apache are) nosuid
restricted (OpenBSD default).  Changed this;
2) By default on OpenBSD, httpd runs in a chroot.  A few things were missing in
the chroot that the script/Apache needed: in this case, the /etc/spwd.db file
from outside the chroot that contained the entry for the 'freeside' user I had
added (I had an older one without 'freeside' in it), & the /dev/fd/# devices,
which I had to create inside the chroot with MAKEDEV.  /dev/fd is OpenBSD's
method of dealing with secure setuid scripts.  Helpful note: ktrace (or
equivalent) is a lifesaver if you run anything in a chroot, since you can see
when system calls fail, & what libraries are missing, etc.

But, the new problem:

Now that signup.cgi can be invoked by the webserver, it is getting the same
errors that I got from the command line before.  Another '500 internal server
error'; in the error_log:

"my" variable $prefix masks earlier declaration in same scope at /dev/fd/6 line
490.
connect: Socket operation on non-socket at
/usr/local/libdata/perl5/site_perl/FS/SignupClient.pm line 109.

and 'premature end of script headers' error.

A ktrace dump has slightly more specific information:

23604 perl    CALL connect(0x4,0x3c007780,ox6a)
23604 perl    NAMI "/usr/local/freeside/fs_signupd_socket"
23604 perl    RET connect -1 errno 38 Socket operation on non-socket
. . .
23604 perl    CALL write(0x2,0x3c1dae80,0x6b)
23604 perl    GIO fd 2 wrote 107 bytes
    "connect: Socket operation on non-socket at /usr/local . . .".

Again, I've followed the directions in the manual.  Here are the permissions
for
/usr/local/freeside/fs_signupd_socket (actually at /var/www/usr/local/freeside,
but inside the chroot it appears as /usr/local/freeside):

-rw------- 1 freeside freeside     0 Apr 13 23:05 fs_signupd_socket

I don't know what to make of the "my" variable masking, either.  Could it be
related to the socket problem?  

In any event, what could be causing the connection to the socket to fail, & how
might it be remedied?

Thanks again,
Henry



Quoting ivan <ivan at 420.am>:

> I don't believe OpenBSD has suidperl (like most other freenix) or secure
> setuid scripts (like Solaris).  You could try "wrapsuid" from the Perl
> distribution (or something similar) or compile Perl yourself and include
> suidperl.
> 
> -- 
> _ivan
> 
> 
> On Tue, Apr 13, 2004 at 08:11:11PM -0500, imp at justneworleans.com wrote:
> > 
> > 
> > I'm having a problem getting signup.cgi to run on my public webserver (as
> > opposed to the freeside backend server).  My browser reports a '500
> internal
> > server error' when I try to access the file; the Apache error log shows
> the
> > following relevant information:
> > 
> > -----
> > [Tue Apr 13 19:31:38 2004] [error] [client 66.93.250.250] script not found
> or
> > unable to stat: /cgi-bin/setup.cgi
> > Use of uninitialized value in numeric ne (!=) at
> > /usr/local/libdata/perl5/site_perl/FS/SignupClient.pm line 26.
> > not running as freeside user
> > Compilation failed in require at /cgi-bin/signup.cgi line 31.
> > BEGIN failed--compilation aborted at /cgi-bin/signup.cgi line 31.
> > [Tue Apr 13 19:32:06 2004] [error] [client 66.93.250.250] Premature end of
> > script headers: /cgi-bin/signup.cgi
> > -----
> > 
> > I'm using: OpenBSD 3.4 (patch branch), Perl rev 5.0 version 8 subversion
> 0,
> > Freeside 1.4.1 (stable, fresh off the download site), all the requisite
> perl
> > modules pulled off CPAN & showing no symptoms of malfunction.  
> > 
> > I've folowed the instructions at
> http://www.sisd.com/freeside/docs/signup.html
> > to a tee.  
> > 
> > The permissions for signup.cgi are as follows:
> > 
> > -r-sr-xr-x 1 freeside freeside  20702 Apr 11 14:29 signup.cgi
> > 
> > Apache runs as user 'www'.
> > 
> > When invoked from the command line as user 'freeside', it produces the
> > following
> > to stdout:
> > 
> > "my" variable $prefix masks earlier declaration in same scope at
> ./signup.cgi
> > line 490.
> > connect: Socket operation on non-socket at
> > /usr/local/libdata/perl5/site_perl/FS/SignupClient.pm line 109.
> > 
> > 
> > These two responses together are all the output I've managed to get out of
> the
> > script so far.  Needless to say I haven't got it to the point where I can
> see
> > how it interacts with my Freeside backend.
> > 
> > Is there something I'm missing, & if so, what could it be?
> > 
> > Thanks, everyone.
> > 
> > Regards,
> > Henry
> > 
> > ----------------------------------------------------------------
> > Fast reliable Internet with all the bells & whistles.  First two months for
> the price of one.  Just New Orleans.com! http://www.justneworleans.com 
> > 
> 
> -- 
> _ivan
> 




----------------------------------------------------------------
Fast reliable Internet with all the bells & whistles.  First two months for the price of one.  Just New Orleans.com! http://www.justneworleans.com

More information about the freeside-users mailing list