Running CGI's in the same directory as CPanel themes???

[nitromax]

Does anyone know if it's possible to run cgi scripts in the same directory that CPanel themes run in, like this...

/usr/local/cpanel/base/frontend/default/script.cgi

I have a couple of custom cgi programs that I would like users to access thru their control panel, but since one of them is a file mananger the users need to authenticate before using it (it can't go in the cgi-sys because of that). Since the user has to enter his username and password to get into the control panel initially, I thought it might be an idea to put my cgi files in there.

Right now if you try to run a .cgi file in that directory above it just displays the cgi code as text on the screen.

If there is no way to do this, can someone please try to answer my post over here?: http://support.cpanel.net/obb/read.php?TID=1824

Thanks in advance!

 

[nitromax]

Found the solution...

Well, I guess I'll answer my own question...

You can load your own programs in the /usr/local/cpanel/base/3rdparty directory, and still get authentication when using the 2082 port on the end of the domain name.

 

[Juanra]

What user executes these scripts?

 

[nitromax]

Well, I am running suexec which normally sets the user to the user of the domain name that's being called. So you would think that what ever domain name you are calling the script with would be the user the script executes under. My file manager script, for example, has some code in it to determine what user the script is running under so that it displays that users directories and files. However, I don't think suexec affects the area running under port 2082.

Since you can only access that /3rdparty directory by adding the :2082 port at the end of the domain name, it prompts you for the username and password before you can enter that area (if you haven't already done that by accessing your control panel.)

Tests I have done on my file manager script shows that you could call up something like this:

http://coolsideshows.com:2082/3rdparty/filemanager.cgi
(let's say the username for this account was coolside)

... and enter the &coolside& username and password and the file manager runs as that user, displaying that users directories and files.

HOWEVER... If you call that exact URL and use some other username and password on the system, it will run the file manager under what ever username and password you give it and display THAT users directories and files.

So to directly answer your question the scripts seem to execute under whatever username and password you supply.

 

[Juanra]

In that case, how can I restrict access to password files?

Since I have to set 0755 permissions for my cgi files, any user with SSH access would be able to read the code and eventually gain access to our billing or support databases.

I would like to mimic the structure of the 3rdparty/phpMyAdmin directory:

drwx------ 7 cpanel cpanel 4096 Mar 10 00:49 phpMyAdmin

and inside:

-rwx------ 1 cpanel cpanel 1873 Mar 10 12:35 index.php

How can this work?

 

[nitromax]

Why do you need to restrict access to password files? In looking at some of the password related scripts in the /scripts directory, it looks like the /etc/shadow file is the one being used for authentication. Since it's owned by root normal users of SSH can't look at the contents of it.

Speaking of SSH.... I noticed that any SSH user can look around all over the server. Even though they can't edit files, like the httpd.conf file, I have noticed that they can view that file as well as others. Isn't there a way to completely restrict SSH users to their own directories like FTP does? (ie. /home/username )

I know of another hosting company that I used to work with that did that with Telnet. I'd really like to know how to do that.

 

[bdraco]

[quote:ee9b528c91][i:ee9b528c91]Originally posted by Juanra[/i:ee9b528c91]

In that case, how can I restrict access to password files?

Since I have to set 0755 permissions for my cgi files, any user with SSH access would be able to read the code and eventually gain access to our billing or support databases.

I would like to mimic the structure of the 3rdparty/phpMyAdmin directory:

drwx------ 7 cpanel cpanel 4096 Mar 10 00:49 phpMyAdmin

and inside:

-rwx------ 1 cpanel cpanel 1873 Mar 10 12:35 index.php

How can this work?[/quote:ee9b528c91]

Cpanel runs phpMyAdmin as the user cpanel.

--

You'll need to install suexec if you want to protect your scripts.

 

[moronhead]

[quote:3a7bd2fda7][i:3a7bd2fda7]Originally posted by nitromax[/i:3a7bd2fda7]

HOWEVER... If you call that exact URL and use some other username and password on the system, it will run the file manager under what ever username and password you give it and display THAT users directories and files.
[/quote:3a7bd2fda7]
As far as I know that has been the case with Cpanel for a long time. Whatever the domain or the IP on the URL is (providing they reside on the same server) it's ultimately the username and password that you put in that determines which user control panel or user webmail comes up.

 

[oboy]

How?

Ok, so HOW do we call the user in the cgi script in the 3rdparty dir?

$user?
&cpanel print=&$user&&
or $username
I've tried all 3, but none work.

Thanks.

 

[oboy]

ah, nevermind, I figured it out :p

 

[dysk]

Seems that cPanel runs a script as the user that is logged in.

In /usr/local/cpanel/base/3rdparty/tests/whoami.cgi:

#!/bin/sh
echo -e 'Content-type: text/plain\n\n'
whoami

when I go to https://www.mydomain.com:2083/3rdparty/tests/whoami.cgi it outputs the username of the cpanel user that called the script.

However, if I put the same script in base/3rdparty/phpMyAdmin, it returns 'cpanel' Seems that there's a hack in cpaneld that runs myPhpAdmin as cpanel, and everything else as the user, as bdraco alluded to.

Of course a really quick and dirty way to avoid the user switching would be to make a phpMyAdmin/otherstuff/

Hope you all find this useful.


Regards,
Erek Dyskant