/usr/web
/lib/namespace.httpd
2002/08/30
What should you first consider in constructing CGI environment ?
That is environment necessary to execute CGI programs.
Pegasus can configure and must configure namespace that is required for CGI.
Many names will be required. For example, a CGI program may be waiting a message that will never come. Then pegasus must kill the process. To enable it, /proc
must be provided.
/usr/web
example/usr/web
of Pegasus distribution.bin dev doc env etc lib mnt net proc rc sys tmpAll of them are not required. For example,
net
is required only for CGI that accesses outer word via network.
/lib/namespace.httpd
/usr/web/They are empty. Therefore we must bind entity so that we can give contents.
example/lib/namespace.httpdThe contents are
bind -a /usr/web/bin/$cputype /bin bind -a /usr/web/bin/rc /bin bind /sys/log/http /usr/web/sys/log/http bind /sys/lib /usr/web/sys/lib bind /sys/man /usr/web/sys/man bind /lib /usr/web/lib bind /bin /usr/web/bin bind /rc/lib /usr/web/rc/lib bind -c #e /usr/web/env bind #c /usr/web/dev bind /proc /usr/web/proc bind -a #I /usr/web/net mount -a #s/cs /usr/web/net mount -a #s/dns /usr/web/net bind /usr/bob/www/doc /usr/web/doc bind /usr/bob/www/etc /usr/web/etcComment lines are discarded here.
bob
is administrator of this host, and his documents and control files are placed in/usr/bob/www/docand
/usr/bob/www/etcrespectively.
Not all of these lines are required. Fore example, lines contains net
are very special.
You will find a line:
bind /sys/lib /usr/web/sys/libThis line means all the files under
/sys/lib
are configured into service space. Therefore accessible via CGI./sys/lib/ssh
and /sys/lib/tls
./sys
.
CGI environment that you have configured in /lib/namespace.httpd
is passed to all virtual hosts and all users except
/usr/web/doc /usr/web/etcTherefore you should be careful to security.
$home/www/etc/handler # for virtual hostsor
$home/web/etc/handler # for system userTypical contents of handler is:
# path mimetype ramfs execpath arg ... /netlib/*/index.html text/html 0 /bin/ftp2html *.http - 0 $target *.html text/html 1 $target *.dx_html text/html 0 /bin/dx $targetThis is what I am using.
$target
that may appear after fourth field is the path name.*.html
defines files so called CGI..html
and with executable bit for others is requested then execute the file. The output format is text/html and ramfs is provided.
Table of $/etc/handler
determines action against requested path. Requested file need not be present. See execution handler for more more information.
/lib/namespace.httpd
as long as -m
option is not given to httpd./etc/namespace.cgiin service space. If you are bob, the real place will be
/usr/bob/www/etc/namespace.cgiThe contents of distributed file is
bind -a /etc/bin/$objtype /bin bind -a /etc/bin/rc /binThis means user bob can locate his executable files in
/usr/bob/www/etc/bin/386 /usr/bob/www/etc/bin/rc
/lib/namespace.httpd for CGI.
Pegasus thinks that CGI should not be served only to administrator.
Therefore this feature should be in mined in configuring /lib/namespace.httpd
.
Pegasus is designed in considering that it should be attack proof against malicious system user. However Pegasus has not been examined in the system with malicious users.
If httpd is invoked by `listen', then httpd runs as user none
.
If you want httpd to write a file, it is safe to set access mode
alrw-rw-rw- # if reading is required
alrw--w--w- # if you don't want the file to be read by others
It is most important not to be deleted or modified by others.
If you want not to be accessed by other system users, run httpd in server mode.