Forum

Hiawatha version: 9.6
Operating System: Centos 6

After getting hiawatha to serve cgi files and not send them to reverse proxy, I have found a problem in that cgi-wrapper is not chroot properly.

My cgi-wrapper.conf:

# CGI wrapper configuration

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

Wrap = admin_wrapper;/home/admin;admin:admin

In the virtual host I have the wrap set properly, no errors in logs, but when running this cgi perl script:

#!/usr/bin/perl

print "Content-Type: text/plain\r\n\r\n";
print "list home directory:\n\n";
$output = `ls /home`;
print $output;

It prints out the /home directory, even though it should be chrooted to /home/admin

I do not understand.

I will try to explain more. This is a shared hosting server, the cgi-wrapper.conf is populated automatically with each user, {user}_wrapper and thier home directory. They may have multiple wensites, each with a directory under /home/{user}

So /home/{user}/domain1.com/
/home{user}/domain2.com/

Etc.... I am trying to chroot an environment where a user can not access any other users files, including server files using the cgi-wrapper. I spent all night until I fell asleep at the computer!

I tried changing:
Wrap = admin_wrapper;/usr/chroot|/home/admin;admin:admin

Created /usr/chroot. Got errors in log about no valid cgi handler. Copied perl into chroot directory. That error went away, but now no script execution and error log says cgi not in website root. But all admin files are under /home/admin

I am lost. Please help.

Further testing, changed wrap to:

Wrap = admin_wrapper;/home/admin|domain1.com;admin:admin

Now error.log reports:
107.178.47.25|Mon 07 Jul 2014 13:59:09 -0400|/home/admin/domain1.com/test.cgi|CGI-wrapper: execvp() error
107.178.47.25|Mon 07 Jul 2014 13:59:09 -0400|/home/admin/domain1.com/test.cgi|CGI returned 500 Internal Error

I even created a /usr /usr/bin /usr/lib/perl5 under /home/admin and still sane error.

In the source tarbal, there is a script extra/newroot. This script can be used to copy binaries and all required libraries to a new directory. Copy /bin/sh to your chroot directory and use the chroot command line tool to chroot to your new root directory. Try if executing Perl and other interpreters works ok.

THANK YOU!!

New problem

Using your script and my own bash script I have it automatically copy the required files for perl and python, about 25 MB into a clients home directory, We have about 100 clients per box, so the 2.5 G isn't a big loss for the complete security we can now offer.

My problem is with the Wrap arguments. Since a client may have multiple domains under his 'new root' I can not get the Wrap command to use the '/' of the new root for cgi requests. Explanation:

I tried:
Wrap = admin_wrapper;/home/admin|;admin:admin

In theory, all files under that chroot should work? But error.log always says 'CGI not in WebSite root'.

Tried
Wrap = admin_wrapper;/home/admin|/;admin:admin
Wrap = admin_wrapper;/home/admin|./;admin:admin
Wrap = admin_wrapper;/home/admin|../;admin:admin

Always same error. CGI not in website root

How to do this?

I have tried many different ways, but unless I put the domain directory after the pipe it always says CGI not in website root.

I do not want to make multiple wrappers per account. Just want to chroot to the home directory, and all files within can be ran, including subdirectories. It just does not work.

I will test the entire cgi-wrapper soon.

I will be awaiting your solutions.

Not trying to be too big of a pain

Can you just change the wrapper so if nothing is after the pipe, everything in the chroot is valid to run.

Example:
Wrap = admin_wrapper;/home/admin|;admin:admin

Would allow:
/home/admin/domain1.com/test.cgi
/home/admin/domain2.net/test.cgi

So forth so on, obviously the /home/admin would not be in the path as that would be the root, was written for example purposes.

any good news?

Very excited to offer perl again on our production servers, we removed it after some malicious activity

I know what the cause is. Shouldn't be hard to fix. Hopefully this weekend a beta, but no final release soon. I'm quite busy at the moment and leaving for a 2 week vacation next week.

At line 168 of src/cgi-wrapper.c, change *pipe = '/'; to

if (*(pipe + 1) == '\0') {
    *pipe = '\0';
} else {
    *pipe = '/';
}

Well, that didn't go well

Since I am using KloxoMR to handle automation of everything, when I cmake hiawatha it just, well, breaks other things. [laughing]

I guess I have to wait for you to release it and get the update from mr repos.

Thank you!

Works perfectly Hugo, thank you. Mustafa added the fix to KloxoMR repos and I have been testing all day.

Add it to 9.7f

Again, thank you. Once directory urltoolkit is implemented, no more apache!

p.s.
Have a great vacation!

Thanks! You can test the beta of the next release [www.leisink.net] if you like. It should work fine, but still, it's a beta.