Help with CGI

Printable View

December 16th, 2002, 08:38 PM
eddiemontose

Help with CGI

I am having a bit of trouble with cgi scripts. Every script i run I get

Internal Server Error -- error 500

I check the log file and it always says premature end of script header. I have downloaded many scripts where they work on the persons site but I put them in my cgi-bin directory and call it up and I always get that.

I have attached one of the scripts can someone test it or see what i did wrong.

Any help apreciated. Oh yea scrips are set to 777
December 16th, 2002, 08:48 PM
nebulus200

Ok, first off, 777 is BAD. Set it to run as 700 and make sure the owner (perferably something like nobody) owns those files and is also running the http server.

500 means your script is having problems. First thing I recommend is trying to run the script from a command shell, this will often point out the line number of whatever is causing the problem. I suspect that you probably didn't copy the entire file over or maybe a long line got truncated. It should be pretty apparent once you try this (however it may not be possible in all cases).

To make any other recommendations, I would have to know: what is the language of the script? What software is running the web server ?

/nebulus
December 16th, 2002, 08:52 PM
eddiemontose

The script needs perl5 wich I have and I am running apache webserver under red hat linux.

I will try running script from shell
December 16th, 2002, 08:56 PM
nebulus200

Ok, look at the first line of the perl script, you should see something like:

#/usr/local/bin/perl

Make sure perl is in that location (you might be able to get away with a symbolic link if you don't feel like editing the script).

If it isn't one of those let me know and I will see what I can do to help, but I suspect it is probably you are either pointing to a wrong interpreter (/usr/local/bin/perl) or that you are missing a ' or ; or something somewhere in the script (which is usually the error returned by perl when it is missing something and then reaches the end of the file and can't find it, in which case trying to run it from the command line will proably help you figure out what you did) (leaning heavy towards second one).

/nebulus
December 16th, 2002, 09:06 PM
eddiemontose

Yes I did edit that so it links to where perl is. I ran the script from shell and got a few errors, I am going to run some other scripts and see what they say and maybe I can get one working

Thanks for the help
December 16th, 2002, 10:11 PM
SittingDuck

Am I right in thinking if you set it to 700 it would not run, as world and group have no rights to run the file, should it be 711, so they can execute the CGI file but not read it? Please tell me if I've got it wrong

SittingDuck
December 16th, 2002, 11:39 PM
emPtYKnOw

let me guess you are using emacs as your editor. When i opened up the file i noticed that it was in DOS mode meaning that ^M is appended to each line. If you were to use vi ^M would have not been hidden like emacs. My sugestion would would be to write a short perl script to delete the ^m or look on the net for a similar script. If you still cant find one let me know.
good luck

almost forgot the chmod should be set to 755 so the users can execute also but do not give them extra priveleges
December 16th, 2002, 11:52 PM
nebulus200

If you have your web server set to run as a certain unpriveleged user (like nobody), the web pages and scripts are owned by the same user, then 700 is absolutely sufficient (or 400/500 for non-scripts). I did take a look at the script that you provided and I don't see the ^M problem at the end of the lines; however, I did notice that you are shelling out and running commands, which may lead to problems. Your web user would have to have permission to be able run whatever binaries are being run (a few that come to mind were uname -r and man), or there would be problmes with things not displaying properly and perhaps even errors in output.

However, the error that you reported is more symptimatic of a missing ', ", ;, , , `, ), or } than a permission or binary problem. Another thing to consider is what environment the script would be running in, all of the binaries may not be in the same location on every system, you should probably do a search for them first and set some global value to it and then reference those commands with that variable.

I will mention that I pasted your script into a test computer with no network connectivity and it worked just fine from the command line, no errors. Check the syntax and permissions by running it from the command line as a normal user (if no errors, then it is probably a problem with permissions, so su - <webuser>, and run it again).

Hope this helps,

/nebulus
December 16th, 2002, 11:53 PM
SittingDuck

Ok I've checked it and for a CGI script you should be set to 711.

This would be
owner = Read, write and execute
group = execute
world = execute

For a static HTML file it should be 744

This would be
owner = Read, write and execute
group = read
world = read

SittingDuck
December 16th, 2002, 11:57 PM
emPtYKnOw

my bad nebulus you are right about the permissions...
December 17th, 2002, 12:00 AM
nebulus200

SittingDuck, that is true ONLY if your webserver is not running as the same user that owns the files on your web page, then, based on what you are doing, your permissions may have to be a little more open, but only then (for example, if you allow your local users to have their own web pages off of the server under ~username, then the owner would be the user, not your web user, then you would either have to set them in the same group as the web process (for the group privelages), or set the permissions on the web page files to allow other access, which leads to the 744 or 711.

/nebulus
December 17th, 2002, 12:42 AM
SittingDuck

Ok I had a think about this. I belive there are a few security problems that can be avided by NOT having the webserver run as the same user the owner as the files. Let me explain

If the owner of the files and the web server are the same then the you will need file setting of a minimun of 700 so the owner can edit and view them. What would be the point if they where set to 400 or 100(for a script file) or 500 as you would have to change the file permission every time you wished to edit the file.

So lets assume that you are running at 700, when someone connects to the webserver to view a page the webserver gets the page for them. This means any attacks via the web server will execicute with the privilages of the user the server is running as. this would mean that the attack could have full control of the files.

If you run the web server as a different user and the permissions are set as I have sugessted you don't this problem as the webserver has not right to change the file.

Just a little note, script file eg CGI, php, asp cfm etc etc the server that is accessing them should only have execute rights eg 1, there is not need for the server to read the file. Doing it this way will prevent any source code discloser(sp?).

For a static page the sever should onlt be able to read it.

If you are on a test setup at home and you are the only person who can see it, then does it really matter what the file perssion are?

SittingDuck
December 17th, 2002, 12:48 AM
nebulus200

Normally this would be true and under most normal circumstances, running the web server and having the web pages being served owned by the same is not very feasible; however, as an aside, I guess I haven't really had to worry about this cause I run the pages off of its own seperate partition that is mounted read only...kind of taken care of by default, but point taken :)

/nebulus