Protecting a perl program
The FAQchest
faqchest at abac.com
Fri May 17 00:31:49 CDT 2002
~sdpm~
Hi Joel,
You're assumption on point 2/ is not correct. Using ".htaccess" files
does not restrict you to block all files in the directory. Apache has
ways to control individual or multiple files, depending on their name or
patterns matching their name.
Let us know how it worked for you,
Thierry
Try this:
1/ edit this .htaccess
-------------------
<Files toto.html>
AuthName "SDPM Joel"
AuthType Basic
AuthUserFile /etc/httpd/conf/sdpm/sdpm-htpassword
AuthGroupFile /etc/httpd/conf/sdpm/sdpm-htgroup
Require group cleared
</Files>
This will add control to only "toto.html" in this directory
2/ Control files:
--------------
mkdir /etc/httpd/conf/sdpm/
htpasswd -bc /etc/httpd/conf/sdpm/sdpm-htpassword toto moi
echo "cleared: toto" >> /etc/httpd/conf/sdpm/sdpm-htgroup
Of course, here I have complete control of my apache server: it sits on
a Linux server I have root access. If you are setting up a CGI directory
at an ISP, you need to create a "conf" directory somewhere outside of
the "documentroot" directory and indicate the absolute path to it in the
.htaccess file.
3/ Added security
--------------
Inside a .htaccess file that you will locate at the top root of the
documentroot tree, add the following:
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
This will block "hackers" to type /.htaccess as a URL and have it
displayed on screen and learn about your server's architecture.
4/ Hacking
-------
Now, if your ISP does his job well, he'll chroot your ftp account so
that you don't have access to the other users' login directories. You
can not know the absolute path of your own site, and it is mandatory
that you indicate the absolute path to your passwd and group files.
Place this simple CGI shell script to hack into your ISP's server:
#!/bin/sh
# Author: webmaster at efsd.com
#
TMP=/tmp/efsd.org_$$.txt
set -a arch osver
arch=`uname -s`
osver=`uname -r | cut -d "." -f 1,2`
trap "cd /tmp; rm -f $TMP 1>&- 2>&-; exit" 0 1 2 3 15
echo 'Content-type: text/plain'
echo ''
echo '-------------------------------------------------'
echo "Here below is the complete header of your request"
echo '-------------------------------------------------'
set | sort
echo ''
echo '-------------------------------------'
echo "Process data:"
echo '-------------------------------------'
echo ''
echo ' date: '`date`
echo ' host: '`uname -a`
echo 'hostname: '`hostname`
echo ' whoami: '`whoami`
# echo ' logname: '`logname` # only for interactive logins
echo ' PID: '$$
echo ' pwd: '`pwd`
echo ' cvs ?: '`type cvs`
echo ' perl ?: '`type perl`
echo ''
echo '---------'
echo ' perl v: '
perl -v 2>&1
echo ''
echo '---------'
echo ' cvs v: '
cvs -v 2>&1
echo ''
echo '---------'
echo ' df -k: '
df -k 2>&1
echo ''
echo '---------'
echo ' sendmail: '
sendmail -d0.1 -bt < /dev/null
echo ''
echo ''
echo ''
echo '---------'
if [ -r /proc/cpuinfo ]; then
echo ' /proc/cpuinfo found present: '
cat /proc/cpuinfo
echo ''
else
echo ' no /proc/cpuinfo found present '
fi
echo '---------'
if [ -r /proc/meminfo ]; then
echo ' /proc/meminfo found present: '
cat /proc/meminfo
echo ''
else
echo ' no /proc/meminfo found present '
fi
echo '---------'
if [ -s /etc/passwd ]; then
echo ' /etc/passwd found present: '
cat /etc/passwd
else
echo ' no /etc/passwd found present '
fi
echo '---------'
if [ -s /etc/shadow ]; then
echo ' /etc/shadow found present: '
cat /etc/shadow
else
echo ' no /etc/shadow found present '
fi
echo '---------'
echo ''
echo ''
echo '-------------------------------------'
echo "Who is currently logged in?"
echo '-------------------------------------'
echo ''
case "$arch" in
HP-UX) ps -ef;
;;
SunOS)
if [ "$osver" = "5.8" ]; then ps -ef
elif [ "$osver" = "5.7" ]; then ps -ef
elif [ "$osver" = "5.6" ]; then ps -ef
else
ps -aux
fi
;;
Linux)
if [ "$osver" = "2.4" ]; then ps -ef
elif [ "$osver" = "2.2" ]; then ps -ef
else
ps -aux
fi
;;
*) ps -ef;
;;
esac
echo '------------- done -----------------'
echo ''
Joel Fentin wrote:
>
> ~sdpm~
> This is not about obfuscated wet T-shirts.
>
> 1. Is there a *standard* way of requiring user name & password
> before I let someone run a perl program on the www?
>
> 2. Do I put an .htpasswd file in the cgi-bin directory? This (if
> it works) carries the disadvantage that all programs in that
> directory require UN & PW.
>
> 3. Or do I code the protection right into the program?
>
> 4. Or some other way?
>
> --
> Joel Fentin tel: 760-749-8863 FAX: 760-749-8864
>
> email: joel at fentin.com web: fentin.com
> ~sdpm~
>
> The posting address is: san-diego-pm-list at hfb.pm.org
>
> List requests should be sent to: majordomo at hfb.pm.org
>
> If you ever want to remove yourself from this mailing list,
> you can send mail to <majordomo at happyfunball.pm.org> with the following
> command in the body of your email message:
>
> unsubscribe san-diego-pm-list
>
> If you ever need to get in contact with the owner of the list,
> (if you have trouble unsubscribing, or have questions about the
> list itself) send email to <owner-san-diego-pm-list at happyfunball.pm.org> .
> This is the general rule for most mailing lists when you need
> to contact a human.
~sdpm~
The posting address is: san-diego-pm-list at hfb.pm.org
List requests should be sent to: majordomo at hfb.pm.org
If you ever want to remove yourself from this mailing list,
you can send mail to <majordomo at happyfunball.pm.org> with the following
command in the body of your email message:
unsubscribe san-diego-pm-list
If you ever need to get in contact with the owner of the list,
(if you have trouble unsubscribing, or have questions about the
list itself) send email to <owner-san-diego-pm-list at happyfunball.pm.org> .
This is the general rule for most mailing lists when you need
to contact a human.
More information about the San-Diego-pm
mailing list