Thursday, April 30, 2020

Re: loading DBD-Pg under base httpd, works but it's wrong way

On Thu, Apr 30, 2020 at 08:16:05PM -0700, Andrew Hewus Fresh wrote:
> I'm assuming this is using slowcgi, is that correct?

Yes

>
> Depending on your use case, it might be easier to have a separate
> slowcgi process for just this script and then add OpenBSD::Pledge(3p)
> and possibly OpenBSD::Unveil(3p) to limit what the script can do. This
> could work with slowcgi's `-u` flag to have this script run as a
> specific user.
>

I have several domains. Some are running very limited scripts.

For several, just some very basic stuff. Pledge and Unveil would work
great for those. I'll check into that. They write files and send emails.

One site has a ton of complicated scripts, many in mod_perl that I want
to ditch.

I am also forking a forum software that's been dropped.
It makes a lot of sense to pull all of those perl scripts into a single
wrapper. It reads/writes to postgresql, sends and receives emails and
can optionally write files. Pledge and Unveil sound like good optional
settings. My preference is to make it portable after ditching some
security issues and dropping mod_perl 1 from it, etc.

> $ cat /home/test-slowcgi/test.cgi
> #!/usr/bin/perl
> use strict;
> use warnings;
>
> use OpenBSD::Pledge;
> pledge();
>
> print "\n\nHello World!\n\n";
> print "$_: $ENV{$_}\n" for sort keys %ENV;
>
>
> And tested with:
>
> $ ftp -o- http://localhost/test-slowcgi
>
> > I know that this is the wrong solution, but I'm clueless where and how
> > to add the right search path.
>
> If you're copying files into /var/www, then that's your own
>
> Back when we were using Apache I had a script that would copy a bunch of
> stuff into the chroot for me, but as you said, there are better
> solutions now.
>
> http://cvs.afresh1.com/cgi-bin/cvsweb/openbsd/fill_chroot/fill_chroot?rev=1.21&content-type=text/x-cvsweb-markup

Interesting. I see lots of things I did. I also see some variations on
what I did, too.
My shell skills are poor. I'll study it and see what I can figure out.
This has all been a bit frustrating, but having worked things out, now
it's fun!

Thanks!
Chris Bennett

No comments:

Post a Comment