CGI Setup with access only to Perl binary.

[28122008]

Hi there,

The default setup of litespeed has a CGI context for ~/cgi-bin which allows files in this directory with proper permissions to get executed by the interpretor supplied on shebang line within the script. Now this allows arbitrary commands to get executed on the system. For example the supplied helloworld script uses /bin/sh.

I want users to be able to access only /usr/bin/perl. I tried removing the CGI context and associating .pl & .cgi scripts with CGI Daemon. But then realized that it serves no purpose as the interpreter is still taken from the shebang line. Is there no way to simply associate .pl & .cgi with perl binary and disallow arbitrary access on system?

Also what is the way to disable Perl from executing external commands? Like in php.ini we can disable functions like exec(), system() etc. How its done with Perl?

-Regards,
Akash

[mistwang]

I think that you cannot get what you want from any web server. CGI will work like that, you have to limit the access with file system permission if you want.
If Perl internal does not limit exec() and system(), nobody can.

[28122008]

Quote:

Originally Posted by mistwang

I think that you cannot get what you want from any web server. CGI will work like that, you have to limit the access with file system permission if you want.
If Perl internal does not limit exec() and system(), nobody can.

Lighttpd does allow to map extension based interpreter:

$HTTP["url"] =~ "/cgi-bin/" {
cgi.assign = ( ".pl" => "/usr/bin/perl" )
}

[28122008]

Is something like:

cgi.assign = ( ".pl" => "/usr/bin/perl" )
cgi.assign = ( ".cgi" => "/usr/bin/perl" )

(as in Lighttpd) not possible in Litespeed?

-Regards,
Akash