The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Running CGI's in the same directory as CPanel themes???

Discussion in 'General Discussion' started by nitromax, Mar 6, 2002.

  1. nitromax

    nitromax Well-Known Member

    Joined:
    Feb 12, 2002
    Messages:
    189
    Likes Received:
    0
    Trophy Points:
    16
    Does anyone know if it's possible to run cgi scripts in the same directory that CPanel themes run in, like this...

    /usr/local/cpanel/base/frontend/default/script.cgi

    I have a couple of custom cgi programs that I would like users to access thru their control panel, but since one of them is a file mananger the users need to authenticate before using it (it can't go in the cgi-sys because of that). Since the user has to enter his username and password to get into the control panel initially, I thought it might be an idea to put my cgi files in there.

    Right now if you try to run a .cgi file in that directory above it just displays the cgi code as text on the screen.

    If there is no way to do this, can someone please try to answer my post over here?: http://support.cpanel.net/obb/read.php?TID=1824

    Thanks in advance! :)
     
  2. nitromax

    nitromax Well-Known Member

    Joined:
    Feb 12, 2002
    Messages:
    189
    Likes Received:
    0
    Trophy Points:
    16
    Found the solution...

    Well, I guess I'll answer my own question...

    You can load your own programs in the /usr/local/cpanel/base/3rdparty directory, and still get authentication when using the 2082 port on the end of the domain name.
     
  3. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
  4. nitromax

    nitromax Well-Known Member

    Joined:
    Feb 12, 2002
    Messages:
    189
    Likes Received:
    0
    Trophy Points:
    16
    Well, I am running suexec which normally sets the user to the user of the domain name that's being called. So you would think that what ever domain name you are calling the script with would be the user the script executes under. My file manager script, for example, has some code in it to determine what user the script is running under so that it displays that users directories and files. However, I don't think suexec affects the area running under port 2082.

    Since you can only access that /3rdparty directory by adding the :2082 port at the end of the domain name, it prompts you for the username and password before you can enter that area (if you haven't already done that by accessing your control panel.)

    Tests I have done on my file manager script shows that you could call up something like this:

    http://coolsideshows.com:2082/3rdparty/filemanager.cgi
    (let's say the username for this account was coolside)

    ... and enter the &coolside& username and password and the file manager runs as that user, displaying that users directories and files.

    HOWEVER... If you call that exact URL and use some other username and password on the system, it will run the file manager under what ever username and password you give it and display THAT users directories and files.

    So to directly answer your question the scripts seem to execute under whatever username and password you supply.
     
  5. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    In that case, how can I restrict access to password files?

    Since I have to set 0755 permissions for my cgi files, any user with SSH access would be able to read the code and eventually gain access to our billing or support databases.

    I would like to mimic the structure of the 3rdparty/phpMyAdmin directory:

    drwx------ 7 cpanel cpanel 4096 Mar 10 00:49 phpMyAdmin

    and inside:

    -rwx------ 1 cpanel cpanel 1873 Mar 10 12:35 index.php

    How can this work?
     
  6. nitromax

    nitromax Well-Known Member

    Joined:
    Feb 12, 2002
    Messages:
    189
    Likes Received:
    0
    Trophy Points:
    16
    Why do you need to restrict access to password files? In looking at some of the password related scripts in the /scripts directory, it looks like the /etc/shadow file is the one being used for authentication. Since it's owned by root normal users of SSH can't look at the contents of it.

    Speaking of SSH.... I noticed that any SSH user can look around all over the server. Even though they can't edit files, like the httpd.conf file, I have noticed that they can view that file as well as others. Isn't there a way to completely restrict SSH users to their own directories like FTP does? (ie. /home/username )

    I know of another hosting company that I used to work with that did that with Telnet. I'd really like to know how to do that.
     
  7. bdraco

    bdraco Guest

    [quote:ee9b528c91][i:ee9b528c91]Originally posted by Juanra[/i:ee9b528c91]

    In that case, how can I restrict access to password files?

    Since I have to set 0755 permissions for my cgi files, any user with SSH access would be able to read the code and eventually gain access to our billing or support databases.

    I would like to mimic the structure of the 3rdparty/phpMyAdmin directory:

    drwx------ 7 cpanel cpanel 4096 Mar 10 00:49 phpMyAdmin

    and inside:

    -rwx------ 1 cpanel cpanel 1873 Mar 10 12:35 index.php

    How can this work?[/quote:ee9b528c91]

    Cpanel runs phpMyAdmin as the user cpanel.

    --

    You'll need to install suexec if you want to protect your scripts.
     
  8. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    [quote:3a7bd2fda7][i:3a7bd2fda7]Originally posted by nitromax[/i:3a7bd2fda7]

    HOWEVER... If you call that exact URL and use some other username and password on the system, it will run the file manager under what ever username and password you give it and display THAT users directories and files.
    [/quote:3a7bd2fda7]
    As far as I know that has been the case with Cpanel for a long time. Whatever the domain or the IP on the URL is (providing they reside on the same server) it's ultimately the username and password that you put in that determines which user control panel or user webmail comes up.
     
  9. oboy

    oboy Registered

    Joined:
    Jun 12, 2002
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    How?

    Ok, so HOW do we call the user in the cgi script in the 3rdparty dir?

    $user?
    &cpanel print=&$user&&
    or $username
    I've tried all 3, but none work.

    Thanks.
     
  10. oboy

    oboy Registered

    Joined:
    Jun 12, 2002
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    ah, nevermind, I figured it out :p
     
  11. dysk

    dysk Well-Known Member

    Joined:
    Apr 22, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Seems that cPanel runs a script as the user that is logged in.

    In /usr/local/cpanel/base/3rdparty/tests/whoami.cgi:

    #!/bin/sh
    echo -e 'Content-type: text/plain\n\n'
    whoami

    when I go to https://www.mydomain.com:2083/3rdparty/tests/whoami.cgi it outputs the username of the cpanel user that called the script.

    However, if I put the same script in base/3rdparty/phpMyAdmin, it returns 'cpanel' Seems that there's a hack in cpaneld that runs myPhpAdmin as cpanel, and everything else as the user, as bdraco alluded to.

    Of course a really quick and dirty way to avoid the user switching would be to make a phpMyAdmin/otherstuff/

    Hope you all find this useful.


    Regards,
    Erek Dyskant
     
    #11 dysk, Jan 14, 2004
    Last edited: Jan 14, 2004
Loading...

Share This Page