设计建议:通过 HTTP 向守护进程发送信号
我在 Ubuntu 上使用 Apache。我有一个 Perl 脚本,它基本上读取目录的文件名,然后重写文本文件,然后向守护进程发送信号。如何通过网页尽可能安全地完成此操作?
实际上我可以在下面的代码中运行一个简化的cgi,但如果我删除注释则不行。我正在寻找考虑以下任何问题的建议:
- 使用 HTTP 请求?
- 代码中显示的目录的 Apache 文件权限如何?
- htaccess 是否足以启用用户/通行证访问 cgi?
- 我应该使用数据库而不是写入文件并运行 cron 查询数据库并授予写入和发送信号的权限吗?
- 向网络服务器授予尽可能少的权限。
- 我应该设置 VPN 吗?
#!/usr/bin/perl -wT
use strict;
use CGI;
#@fileList = </home/user/*>; #read a directory listing
my $query = CGI->new();
print $query->header( "text/html" ),
$query->p( "FirstFileNameInArray" ),
#$query->p( $fileList[0] ), #output the first file in directory
$query->end_html;
I'm using Apache on Ubuntu. I have a Perl script which basically read the files names of a directory, then rewrites a text file, then sends a signal to a daemon. How can this be done, as secure as possible through a web-page?
Actually I can run a simplified cgi in the code below, but not if I remove the comments. I'm looking for advise considering any of:
- Using HTTP Requests?
- How about Apache file permissions on the directory shown in code?
- Is htaccess enough to enable user/pass access to the cgi?
- Should I use a database instead of writing to a file and run a cron querying the db with permission granted to write and send the signal?
- Granting as less permissions as possible to the webserver.
- Should I set a VPN?
#!/usr/bin/perl -wT
use strict;
use CGI;
#@fileList = </home/user/*>; #read a directory listing
my $query = CGI->new();
print $query->header( "text/html" ),
$query->p( "FirstFileNameInArray" ),
#$query->p( $fileList[0] ), #output the first file in directory
$query->end_html;
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
据推测,您从注释行中收到的错误是尝试读取
/home/user目录时权限被拒绝。解决这个问题的方法是(惊讶,惊讶)让 apache 用户 [1] 读取该目录。可以通过三种主要方法来执行此操作:在大多数环境中,有
确实没有充分的理由隐藏所有
用户家中的文件名
目录,这样你就可以使
使用
chmod 可以读取目录。除非你有一个a+r /home/user
阻止的具体原因
广大民众从了解
用户的文件名
主目录,我倾向于
推荐这种方法。
如果你想多一点
限制它,你可以
将
/home/user更改为由apache用户所属组
到(或将 apache 用户添加到
目前拥有的组
/home/user) 然后设置/home/user可供群组读取。这将使所有人都可以访问
该团体的成员,但不是
普通大众。
如果您需要标准
文件系统权限应用于
网页访问,你可以看看
配置
suexec以便个人请求可以接受
除以下用户外的其他用户的权限
阿帕奇用户。这通常是
拥有该代码的用户
正在运行以处理请求
(例如,在这种情况下,用户
拥有您的目录列表脚本),
但是,如果您使用的是基于 htaccess 的
身份验证,也许可以
配置suexec来决定
接受哪个用户的权限
基于您登录的用户身份。
(我自己避免使用
suexec,所以我不是100% 确定是否可以做到这一点并且
不知道该怎么做
它可以。)
[1] ...我的意思是 apache 运行的用户;根据您的系统配置,该用户可能被命名为“apache”、“httpd”、“nobody”、“www-data”或其他名称。
Presumably, the error you're getting from the commented lines is a permission denied when trying to read the
/home/userdirectory. The way to fix this is (surprise, surprise) to give the apache user[1] to read that directory. There are three primary approaches to doing this:In most environments, there's
really no good reason to hide all
filenames within a user's home
directory, so you could make the
directory world-readable with
chmod. Unless you have aa+r /home/user
specific reason to prevent the
general public from knowing the
names of the files in the user's
home directory, I'd tend to
recommend this approach.
If you want to be a bit more
restrictive about it, you could
change
/home/userto be owned by agroup which the apache user belongs
to (or add the apache user to the
group that currently owns
/home/user) and then set/home/userto be group-readable.This will make it accessible to all
members of that group, but not the
general public.
If you need to have standard
filesystem permissions applied to
web access, you can look at
configuring
suexecso thatindividual requests can take on
permissions of users other than the
apache user. This is normally the
user who owns the code which is
being run to handle the request
(e.g., in this case, the user who
owns your directory-listing script),
but, if you're using htaccess-based
authentication, it may be possible
to configure
suexecto decidewhich user's permissions to take on
based on what user you log in as.
(I avoid
suexecmyself, so I'm not100% certain if this can be done and
have no idea how to go about it if
it can.)
[1] ...by which I mean the user that apache is running as; depending on your system config, this user may be named "apache", "httpd", "nobody", "www-data", or something else entirely.