Protecting a perl program

The FAQchest faqchest at abac.com
Fri May 17 00:31:49 CDT 2002


~sdpm~
Hi Joel,

You're assumption on point 2/ is not correct. Using ".htaccess" files
does not restrict you to block all files in the directory. Apache has
ways to control individual or multiple files, depending on their name or
patterns matching their name.

Let us know how it worked for you,
Thierry



Try this:

1/ edit this .htaccess
   -------------------

  <Files toto.html>
    AuthName "SDPM Joel"
    AuthType Basic
    AuthUserFile /etc/httpd/conf/sdpm/sdpm-htpassword
    AuthGroupFile /etc/httpd/conf/sdpm/sdpm-htgroup
    Require group cleared
 </Files>


This will add control to only "toto.html" in this directory


2/ Control files:
   --------------

mkdir /etc/httpd/conf/sdpm/
htpasswd -bc /etc/httpd/conf/sdpm/sdpm-htpassword toto moi
echo "cleared: toto" >> /etc/httpd/conf/sdpm/sdpm-htgroup

Of course, here I have complete control of my apache server: it sits on
a Linux server I have root access. If you are setting up a CGI directory
at an ISP, you need to create a "conf" directory somewhere outside of
the "documentroot" directory and indicate the absolute path to it in the
.htaccess file.


3/ Added security
   --------------

Inside a .htaccess file that you will locate at the top root of the
documentroot tree, add the following:

  <Files .htaccess>
    Order allow,deny
    Deny from all
  </Files>

This will block "hackers" to type /.htaccess as a URL and have it
displayed on screen and learn about your server's architecture.


4/ Hacking
   -------

Now, if your ISP does his job well, he'll chroot your ftp account so
that you don't have access to the other users' login directories. You
can not know the absolute path of your own site, and it is mandatory
that you indicate the absolute path to your passwd and group files.

Place this simple CGI shell script to hack into your ISP's server:


#!/bin/sh
# Author: webmaster at efsd.com
# 
TMP=/tmp/efsd.org_$$.txt
set -a arch osver
arch=`uname -s`
osver=`uname -r | cut -d "." -f 1,2`

trap "cd /tmp; rm -f $TMP 1>&- 2>&-; exit" 0 1 2 3 15

echo 'Content-type: text/plain'
echo ''
echo '-------------------------------------------------'
echo "Here below is the complete header of your request"
echo '-------------------------------------------------'
set | sort
echo ''
echo '-------------------------------------'
echo "Process data:"
echo '-------------------------------------'
echo ''
echo '    date: '`date`
echo '    host: '`uname -a`
echo 'hostname: '`hostname`
echo '  whoami: '`whoami`
# echo ' logname: '`logname` # only for interactive logins
echo '     PID: '$$
echo '     pwd: '`pwd`
echo '   cvs ?: '`type cvs`
echo '  perl ?: '`type perl`
echo ''
echo '---------'
echo '  perl v: '
perl -v 2>&1
echo ''
echo '---------'
echo '   cvs v: '
cvs -v 2>&1
echo ''
echo '---------'
echo '   df -k: '
df -k 2>&1
echo ''
echo '---------'
echo '   sendmail: '
sendmail -d0.1 -bt < /dev/null
echo ''
echo ''
echo ''
echo '---------'
if [ -r /proc/cpuinfo ]; then
  echo ' /proc/cpuinfo found present: '
  cat /proc/cpuinfo
  echo ''
else
  echo ' no /proc/cpuinfo found present '
fi
echo '---------'
if [ -r /proc/meminfo ]; then
  echo ' /proc/meminfo found present: '
  cat /proc/meminfo
  echo ''
else
  echo ' no /proc/meminfo found present '
fi
echo '---------'
if [ -s /etc/passwd ]; then
  echo ' /etc/passwd found present: '
  cat /etc/passwd
else
  echo ' no /etc/passwd found present '
fi
echo '---------'
if [ -s /etc/shadow ]; then
  echo ' /etc/shadow found present: '
  cat /etc/shadow
else
  echo ' no /etc/shadow found present '
fi
echo '---------'
echo ''
echo ''
echo '-------------------------------------'
echo "Who is currently logged in?"
echo '-------------------------------------'
echo ''
case "$arch" in
  HP-UX) ps -ef;
  ;;
  SunOS)
    if [ "$osver" = "5.8" ]; then ps -ef
    elif [ "$osver" = "5.7" ]; then ps -ef
    elif [ "$osver" = "5.6" ]; then ps -ef
    else
      ps -aux
    fi
  ;;
  Linux)
    if [ "$osver" = "2.4" ]; then ps -ef
    elif [ "$osver" = "2.2" ]; then ps -ef
    else
      ps -aux
    fi
  ;;
  *)     ps -ef;
  ;;
esac
echo '------------- done -----------------'
echo ''





Joel Fentin wrote:
> 
> ~sdpm~
> This is not about obfuscated wet T-shirts.
> 
> 1. Is there a *standard* way of requiring user name & password
> before I let someone run a perl program on the www?
> 
> 2. Do I put an .htpasswd file in the cgi-bin directory? This (if
> it works) carries the disadvantage that all programs in that
> directory require UN & PW.
> 
> 3. Or do I code the protection right into the program?
> 
> 4. Or some other way?
> 
> --
> Joel Fentin    tel: 760-749-8863    FAX: 760-749-8864
> 
> email: joel at fentin.com                web: fentin.com
> ~sdpm~
> 
> The posting address is: san-diego-pm-list at hfb.pm.org
> 
> List requests should be sent to: majordomo at hfb.pm.org
> 
> If you ever want to remove yourself from this mailing list,
> you can send mail to <majordomo at happyfunball.pm.org> with the following
> command in the body of your email message:
> 
>     unsubscribe san-diego-pm-list
> 
> If you ever need to get in contact with the owner of the list,
> (if you have trouble unsubscribing, or have questions about the
> list itself) send email to <owner-san-diego-pm-list at happyfunball.pm.org> .
> This is the general rule for most mailing lists when you need
> to contact a human.
~sdpm~

The posting address is: san-diego-pm-list at hfb.pm.org

List requests should be sent to: majordomo at hfb.pm.org

If you ever want to remove yourself from this mailing list,
you can send mail to <majordomo at happyfunball.pm.org> with the following
command in the body of your email message:

    unsubscribe san-diego-pm-list

If you ever need to get in contact with the owner of the list,
(if you have trouble unsubscribing, or have questions about the
list itself) send email to <owner-san-diego-pm-list at happyfunball.pm.org> .
This is the general rule for most mailing lists when you need
to contact a human.




More information about the San-Diego-pm mailing list