enabling personal CGI-BIN

[new32]

I have PHP enabled already but I've got a user who wants to have their own cgi-bin, aka "http://localhost/~[username]/cgi-bin/[script].cgi". So how do I go about enabling this via .htaccess/config files? I've tried using google searchs and the like but I'm having no luck (403:Forbidden). I got the override set (both instances) but I still am having no luck. Any help would be appreciated.

Cheers,
New32

 

[Mars]

cgi-wrap is an old-skool executable wrapper. It allows individual users to execute cgi scripts in their own cgi-bin as their user id (uid).

Download the newest cgi-wrap from: http://download.sourceforge.net/cgiwrap/

The cgi-wrap home page is: http://cgiwrap.unixtools.org/

Follow the install notes provided with the distribution. The install goes smoothly for OS X, with the following exceptions/notes:

configure won't run successfully unless you replace the config.guess and config.sub in the distribution with the ones Apple provided in:
/usr/libexec/config.guess
/usr/libexec/config.sub

This is the configure command I used:
%> ./configure --with-httpd-user=www --with-install-dir=/Library/WebServer/CGI-Executables --with-cgi-dir=Sites/cgi-bin

So, create a cgi-bin directory in each user's home:
%> mkdir /Users/[username]/Sites/cgi-bin

and set perms so that only the owner can read/write/exec:
%> chmod -R 700 /Users/[username]/Sites/cgi-bin

I put the cgi-wrap binary [and associate links] where Apache looks for cgi's, in:
/Library/WebServer/CGI-Excecutables/

Finally, call the user cgi's through Apache with a URL like:
http://localhost/cgi-bin/cgiwrap/[username]/[scriptnameInUserCgi-Bin]


Mars

 

[Mars]

I forgot to mention...

This is the whole reason I dove into cgiwrap to begin with:

Since cgiwrap executes cgi-scripts as the user's uid instead of the Webserver's uid, the users' scripts can read and write files without them having to be world or group readable/writable.

Mars

 

[new32]

Actually, I did find a semi-pseudo perfect answer at mac.orielly.com and will repaste it here. I've had this up and running for a bit and toyed with it to my own ends and it works great. Here's the original snippet [place after the "ScriptAlias" directive and entry]:

##
##This matches the pattern enabling personal CGI-BIN's
## For example -
## http://www.yourdomain/~[username]/cgi-bin/[filename].[ext]
##
ScriptAliasMatch ^/~([^/]*)/cgi-bin/(.*) /Users/$1/Sites/cgi-bin/$2

##This sets all pertinent information for such
<Directory /Users/*/Sites/cgi-bin/>
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>

 

[RHITMacMan]

The original post mentioned having PHP setup, which got me thinking. I know I can run PHP scripts without restriction in my Sites directory as an admin and from the /Library/WebServer/Documents/ directory, but can other users do the same? I would hope not, since they could potentially mess up my whole system with one script.

It's discussed how cgiwrapper uses the users own id so that restrictions for this user are followed. I'm not sure what PHP does, cause if it uses the user directives, then they should probably be restricted to working with files inside their home directory, which is what I would want. I know I have worked with other servers that allow PHP scripts in their user directories, but did not allow the user directory PHP scripts to read or write to any files. I'm not sure I would want to go this far, but I would only want reading and writing to files within the user's own home directory.

Does anyone know what the default setup is for PHP with regards to permissions? And, how should I get it to function as desired if it doesn't already?

 

[Mars]

Because PHP is an Apache module, it runs as the same uid as Apache, "www".

In order to instantiate PHP as the user's uid you could install the PHP CGI binary and execute it using cgiwrap [as mentioned in my post above].

You can grab the CGI version of PHP at:
http://www.entropy.ch/software/macosx/php/

And put it in your local binary direcory:
/usr/local/bin/

Put the PHP scripts that need the setuid into the user-level cgi-bin and add the shebang to the top of each one to make the PHP engine parse it:
#!/usr/local/bin/php4.cgi

Then call your scripts with a URL like:
http://localhost/cgi-bin/cgiwrap/[username]/[nameOfScriptInCgi-Bin]


There are several ways to make PHP run as a something other than the Webserver's uid. I have found success with this one...and I use it on a production server without problems.

Mars

 

[RHITMacMan]

Using cgiwrap to do this sounds a bit overly complicated. Essentially, it sounds as if you are installing PHP to run under the constraints of normal CGI where PHP is just another CGI language instead of the common perl or shell languages. Then you would need to have all your PHP scripts in cgi-bin folders etc. I really don't want to do this.

Does anyone else know of a simpler way to do this and still use the Apache version? Perhaps a modification to the php.ini file or some other PHP config file? I know I have seen this done on other servers, where you can run PHP scripts via apache with no special directories, but certain things will be disabled or restricted. Like for example, all reading and writing to files, or just writing, or just reading and writing in certain directories.