World: r3wp
[CGI] web server issues
| older newer | first last |
| Graham 31-Aug-2007 [702] | why not try using set-net [ email localhost ] |
| james_nak 6-Sep-2007 [703] | Thanks all. In the end I switched hosts and their mx records work so problem solved. |
| Pekr 17-Sep-2007 [704x3] | I mentioned the possibility (to overcome REBOL web-hosting) to place rebol executable directly in the /cgi-bin/ directory. Someone on ML mentioned I should not do that, security wise, as calling http://www.my-domain/cgi-bin/rebol will spawn a process, which will run endlessly or so ... |
I just wanted to ask - wasn't there some change in the past, to prevent such case? Would it be sufficient to rename rebol.exe to something like EDB433BDD7C13851C7C68CB31A5ACF33A80CD2CC? :-) | |
Or what about building special rebol version using SDK, running by default in cgi mode, quitting imediatelly, if there is not get or post string? | |
| Chris 17-Sep-2007 [707] | My understanding is the latter would be slower. Also, QM (as an example) doesn't generally require a get query or post data (primarily uses path info). |
| Gabriele 18-Sep-2007 [708] | petr, it is much better to just put rebol in another dir. there is no reason to have it in /cgi-bin/ |
| Pekr 18-Sep-2007 [709x3] | aha, but can it be dir of my own site? |
I mean - let's say I don't have telnet available - just ftp to upload my site ... | |
but even then, putting it in another dir, in order to be able to run rebol, I have to set it as runnable too, no? So what is the difference in having it in cgi-bin or other directory, if permissions have to be equal? | |
| Rebolek 18-Sep-2007 [712] | Pekr, well they don't have to. Script's permissons are different from some random visitor's permissions. Script is local and not remote. |
| Gabriele 18-Sep-2007 [713] | the scripts have to be in cgi-bin, the interpreter can (and should) be somewhere else, where it is not accessible. |
| Pekr 18-Sep-2007 [714] | Gabriele - where it is not accessible? That means I need other then FTP access. That ruins easy REBOL deployment ... |
| Gabriele 18-Sep-2007 [715] | why? ftp access only gives access to cgi-bin? usually, you have your own home dir, with www and cgi-bin dirs inside. |
| Pekr 18-Sep-2007 [716x2] | I'll check, but with hosting I have I seem to have root set to my web root. |
So, in terms of my website, if I put rebol executable e.g. into /rebol/rebol.exe, is it any different security-wise to /cgi-bin/rebol.exe? | |
| Gabriele 18-Sep-2007 [718x3] | making rebol accessible is a security risk. i don't know of anything bad that you can make it do, but i'm sure it would not be too hard to make any interpreter do something bad if you allow it to be launched by anyone :) |
yes, /rebol/rebol.exe will not be executed by the web server, unless it is specifically configured to do so. | |
if it's in cgi-bin, maybe i could do something like http://yoursite/cgi-bin/rebol?-s--do delete... etc. | |
| Pekr 18-Sep-2007 [721] | hmm, then ice thing is, that when I run http://www.my-domain.com/cgi-bin/rebol --do "print 123", Apache returns error, stating I have no permission to do that. If I run cgi-bin/rebol, my browser does not seem to return, so I expect interpreter to run infinitely? |
| Gabriele 18-Sep-2007 [722] | (it shouldn't be that easy, but you get the idea) |
| Pekr 18-Sep-2007 [723] | hmm, woult there be an option to prepare special version of interpreter, using SDK, not allowing to accept any parameters, run only in CGI mode? |
| Gabriele 18-Sep-2007 [724] | maybe, but is it really worth it? i don't think anyone would put perl in cgi-bin for eg. so why rebol? |
| Pekr 18-Sep-2007 [725x2] | because ppl endlessly complain, there are no rebol web-hosts. So I thought I might have universal solutoin. Just find yourself web-host, which allows cgi scripts, and you are done ... |
I don't need it on my server, was trying to help other guys to not feel pressed from ISPs | |
| Gabriele 18-Sep-2007 [727] | afaik, any host that allows any cgi-bin will also allow you to upload rebol somewhere not in cgi-bin and then use it. |
| amacleod 18-Sep-2007 [728x2] | Any ISP that gives you FTP access to your account and CGI does provide |
access for rebol | |
| Pekr 18-Sep-2007 [730] | ah, so I really don't understand guys' point on ML, complaining that web-hosts are REBOL unfriendly. I tried with two, and those had no problem uploading rebol for me ... |
| amacleod 18-Sep-2007 [731] | What I have found to be a problem is accessing MySQL accounts from client based rebol scripts. They seem to only allow server based access. |
| Pekr 18-Sep-2007 [732x2] | amacleod. And how? |
With one host, I e.g. have: /home, /www, /tmp, /logs ... should I put into /home? | |
| Gabriele 18-Sep-2007 [734x2] | indeed, i think they are just lazy, and want rebol to work out of the box. they just have to upload it. it will work with 99% of the hosts right away. and the host should be able to easily solve that 1% case, unless they are morons and only allow php etc. by policy. |
yes, /home, maybe /home/bin or something like that. (/home/rebol/... would be ok too) | |
| Pekr 18-Sep-2007 [736x2] | But other hosting my friend has, is just and only his www root .... |
Gabriele - exactly my opinion .... | |
| Gabriele 18-Sep-2007 [738] | mysql: some hosts only allow socket access and not tcp access to mysql (because that's the default config for some distros.) but, that's something that they can enable without problems. |
| amacleod 18-Sep-2007 [739] | I have a rebol view app that I use to acces a MySQL database. I had it working and then ,y ISP decided to add security and no longer allow MySQL access unless its a script on the server. Ofcourse they did not inform me and it took some time to track down the problem.. |
| Pekr 18-Sep-2007 [740] | That is why I was trying to suggest to rename rebol to some AAAAAAABBBBBBBCCCC name, unpredictable, so it will get hardly noticed, even if someone would try ... (unless you do some bug and your shabang line gets reported back to browser :-) |
| Gabriele 18-Sep-2007 [741] | www root - well, you can put in www but outside cgi-bin, so it can be downloaded but not executed. or, worst case, hopefully they allow you to put a .htaccess to deny access to rebol itself. |
| amacleod 18-Sep-2007 [742] | At least that was the explanation I was given...\ |
| Pekr 18-Sep-2007 [743] | OK, I feel I miss knowledge on Unix permissions. So if cgi-bin dir as a whole has execute bit, everything in there can be executed? Hmm, and don't I need execute bit for rebol itself, even if put into other directory? |
| Gabriele 18-Sep-2007 [744x2] | it's not execute bit of the dir, and it has not much to do with unix permissions, it's web server config. normally, web server will only execute things from cgi-bin and not somewhere else. |
eg. in apache you have ScriptAlias directive to tell it where to allow executables. | |
| Pekr 18-Sep-2007 [746] | aha, ok ... so, if I put REBOL into other dir, even if it has execute bit in order to be runnable, Apache will not run it, as directive for the directory does not allow that, right? |
| Gabriele 18-Sep-2007 [747] | exactly. |
| Pekr 18-Sep-2007 [748x2] | but then it will be probably downloadable :-) www.domain.com/some-other-dir/rebol |
but maybe it could be prevented to be seen by setting some .httaccess option ... | |
| Gabriele 18-Sep-2007 [750] | yes, it will be downloadable unless you deny it with htaccess, but that's usually not a big problem. |
| btiffin 18-Sep-2007 [751] | Petr; DON'T :) Suggesting that people try and sneak REBOL past sysadmins is a really really really bad idea. If they can't be convinced to try it, then change ISP, or try to convinvce them again. Don't be making REBOL look all cracky. That is the kind of maneuver that could sink the ship. The rest of us like the ship, and we fly the flag of peace and truth, not the Jolly Roger. :) |
| older newer | first last |