Thursday, April 30, 2020

Re: loading DBD-Pg under base httpd, works but it's wrong way

On Thu, Apr 30, 2020 at 04:04:02PM -0400, Chris Bennett wrote:
> I've had a hell of a time getting Pg.so to load under base httpd.
>
> env LD_DEBUG=1 chroot /var/www script.pl
> gives errors about DynaLoader not being able to load due to a missing
> library.
>
> After looking at Postgresql libraries loaded using pg_config --libs
> I moved just those libs under /var/www.
>
> Still no luck. However I did get barely enough of a hint with searches
> to figure out that it wasn't finding libpq.a and libpq.so.6.11
> But those are located under /usr/local/lib. I couldn't figure out how to
> push over that directory into the search paths.
> So I moved a copy of those under /var/www/usr/lib/ vs
> /var/www/usr/local/lib/
> Works just fine.

I'm assuming this is using slowcgi, is that correct?

Depending on your use case, it might be easier to have a separate
slowcgi process for just this script and then add OpenBSD::Pledge(3p)
and possibly OpenBSD::Unveil(3p) to limit what the script can do. This
could work with slowcgi's `-u` flag to have this script run as a
specific user.

(I am still a bit confused by the httpd.conf param and why slowcgi
doesn't seem to get a SCRIPT_NAME and so will exec the location's "root"
when I set this up, but fortunately it meets this need)

But anyway, an example that could totally be in /var/test-slowcgi
instead of /home:

Starting a slowcgi:

# /usr/sbin/slowcgi -p / -u test-slowcgi -s /var/www/run/test-slowcgi.sock

With something like this in httpd.conf:

location "/test-slowcgi*" {
root "/home/test-slowcgi/test.cgi"
fastcgi {
socket "/run/test-slowcgi.sock"
}
}

And finally, the test script that just prints out the environment.
It's running as the test-slowcgi user already, and but you can still use
unveil and pledge.

$ cat /home/test-slowcgi/test.cgi
#!/usr/bin/perl
use strict;
use warnings;

use OpenBSD::Pledge;
pledge();

print "\n\nHello World!\n\n";
print "$_: $ENV{$_}\n" for sort keys %ENV;


And tested with:

$ ftp -o- http://localhost/test-slowcgi

> I know that this is the wrong solution, but I'm clueless where and how
> to add the right search path.

If you're copying files into /var/www, then that's your own

Back when we were using Apache I had a script that would copy a bunch of
stuff into the chroot for me, but as you said, there are better
solutions now.

http://cvs.afresh1.com/cgi-bin/cvsweb/openbsd/fill_chroot/fill_chroot?rev=1.21&content-type=text/x-cvsweb-markup

> Any clues would be extremely appreciated!
>
> Chris Bennett
>
>

--
andrew - http://afresh1.com

A printer consists of three main parts:
the case, the jammed paper tray and the blinking red light.

No comments:

Post a Comment