CGI Setup with access only to Perl binary.

Discussion in 'CGI/Perl/Python' started by 28122008, Sep 7, 2009.

  1. 28122008

    28122008 New Member

    Hi there,

    The default setup of litespeed has a CGI context for ~/cgi-bin which allows files in this directory with proper permissions to get executed by the interpretor supplied on shebang line within the script. Now this allows arbitrary commands to get executed on the system. For example the supplied helloworld script uses /bin/sh.

    I want users to be able to access only /usr/bin/perl. I tried removing the CGI context and associating .pl & .cgi scripts with CGI Daemon. But then realized that it serves no purpose as the interpreter is still taken from the shebang line. Is there no way to simply associate .pl & .cgi with perl binary and disallow arbitrary access on system?

    Also what is the way to disable Perl from executing external commands? Like in php.ini we can disable functions like exec(), system() etc. How its done with Perl?

    -Regards,
    Akash
  2. mistwang

    mistwang LiteSpeed Staff

    I think that you cannot get what you want from any web server. CGI will work like that, you have to limit the access with file system permission if you want.
    If Perl internal does not limit exec() and system(), nobody can.
  3. 28122008

    28122008 New Member

    Lighttpd does allow to map extension based interpreter:

    $HTTP["url"] =~ "/cgi-bin/" {
    cgi.assign = ( ".pl" => "/usr/bin/perl" )
    }
  4. 28122008

    28122008 New Member

    Is something like:

    cgi.assign = ( ".pl" => "/usr/bin/perl" )
    cgi.assign = ( ".cgi" => "/usr/bin/perl" )

    (as in Lighttpd) not possible in Litespeed?

    -Regards,
    Akash

Share This Page