OpenBSD Apache and cgi
 

Hello. Is there anything special I need to do with OpenBSD to get scripts to run in /var/www/cgi-bin?

Here are my settings in httpd.conf

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory "/var/www/cgi-bin">
AllowOverride None
Options +ExecCGI
Order allow,deny
Allow from all
</Directory>

#AddHandler cgi-script .cgi
AddHandler cgi-script .cgi

-rwxr-xr-x 1 root daemon 250288 Sep 30 08:28 getin.cgi
-rwxr-xr-x 1 root bin 268 Mar 29 2004 printenv
-rwxr-xr-x 1 root bin 757 Mar 29 2004 test-cgi
-rwxr-xr-x 1 root daemon 97 Sep 30 08:35 test.cgi

None of the above scripts work. I am getting an internal server error.

here is the log

[Thu Sep 30 08:33:23 2004] [error] [client 198.108.51.11] Premature end of script headers: /cgi-bin/getin
[Thu Sep 30 08:33:54 2004] [error] [client 198.108.51.11] Premature end of script headers: /cgi-bin/getin.cgi
[Thu Sep 30 08:34:28 2004] [error] [client 198.108.51.11] Premature end of script headers: /cgi-bin/getin.cgi
[Thu Sep 30 08:36:03 2004] [error] [client 198.108.51.11] Premature end of script headers: /cgi-bin/test.cgi
[Thu Sep 30 08:36:20 2004] [error] [client 198.108.51.11] Premature end of script headers: /cgi-bin/test-cgi
[Thu Sep 30 08:37:02 2004] [error] [client 198.108.51.11] Premature end of script headers: /cgi-bin/printenv
[

All these scripts work from the command line though.

Thanks in Advance.

Jeempc

I think it has something to do with chroot. I am still searching google.

Jeempc

If the CGI scripts call something outside of /var/www, they will not work.

Try searching some of the OpenBSD mailing list archives at marc.theaimsgroup.com for "cgi chroot", or something like that.

I will check out the link but I know for a fact that they are calling /usr/bin/perl which is typical for a cgi script.

Thanks

Jeempc

"CGI scripts using Perl or another scripting language require the interpreter and support files to be present in the chroot environment. Note that adding scripting languages like Perl severely violates rule 1."

From link above, thanks chort.

So it seems that I would need to install perl, or link it somehow which I don't know how to do yet, in the /var/www directory. Does anyone have any experience with this?
People must not use OpenBSD for dynamic web servers by default for obvious security reasons. I am still new to all this.
I really dig getting a locked down system and opening up for what I need though. I think you learn more than playing with a system that is easy to break.

Jeempc

Been a few years since question asked, nevertheless this is answer with high search engine ranking though no one answered the question!

Assuming you understand the added danger of running apache without chroot, you can change your /etc/rc.conf HTTPD line to


httpd_flags="-u"

You'll have to reboot for your machine to see this.

then go into /var/www/cgi-bin and change the permissions on all the scripts to allow execution

cd /var/www/cgi-bin
chmod a+rx test-cgi
chmod a+rx printenv


now you can load /cgi-bin/printenv in your browser

you'll get your cgi script output

In OpenBSD, Apache is chrooted by default. Which does not mean that chroot is usable by everybody for all applications. It does mean that OpenBSD is initially configured for minimal risk, and configurations that incur additional risk must be actively chosen.

I've been using OpenBSD for ten years, love it and donate the price of CD every six months when I download update.... BUT....that's just wrong to provide an audited, pro-policed and bug fixed apache but not the means to even run the included cgi-bin files. That's half-keistered, and one solution would be to provide a language interpreter within the chrooted jail. There are two obvious ways to do that. Better than "secure by default" is "provide secure conventions for doing actual work".

I just checked my /var/www/cgi-bin directory on OpenBSD 4.8. The only useful program there is bgplg(8), which is an ELF binary "intended to be used in a chroot(2) environment" -- so all libraries are statically linked. This will run on a default installation. There are also two testing scripts (one Perl, the other /bin/sh).

Apache is a web server. Why should it include an interpreted language environment?

If you want Perl, just copy all the necessary files. Some people won't use Perl, and they are free to include whatever interpreter and/or libraries they desire in the chroot.

I have recently install OpenBSD 5.2, and having trouble making cgi work. I tried the instructions in #6 (to run Apache out of chroot), and can't get the printenv perl script to work. My web page "printenv.php" to run the script looks like:

<html>
<head>
<?php
$title="Test printenv cgi";
printf("<title>%s</title>\n", $title);
?>
</head>
<body>
<?php printf("<h2>%s</h2>\n", $title); ?>
<form action="/cgi-bin/printenv" method="get">
<input type="submit" name="submit" value="Printenv"
</form>

</body>
</html>

Apparently nothing happens when I click the submit button - the web page with the form remains on the screen.

Some system information:

OpenBSD lightning.local 5.2 GENERIC#278 i386
OpenBSD 5.2 (GENERIC) #278: Wed Aug 1 10:04:16 MDT 2012
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
Actually this CPU is missing i686 instructions
cpu0: VIA Samuel 2 ("CentaurHauls" 686-class) 800 MHz
cpu0: FPU,DE,TSC,MSR,MTRR,PGE,MMX,3DNOW
cpu0 at mainbus0: (uniprocessor)
real mem = 502788096 (479MB)
avail mem = 483713024 (461MB)
spdmem0 at iic0 addr 0x50: 256MB DDR SDRAM non-parity PC3200CL3.0
spdmem1 at iic0 addr 0x51: 256MB DDR SDRAM non-parity PC2100CL2.5
Swap information:
root on wd0a (a6ebc77e99ef6c87.a) swap on wd0b dump on wd0b
Device 512-blocks Used Avail Capacity Priority
/dev/wd0b 1430205 0 1430205 0% 0
vga1 at pci1 dev 0 function 0 "VIA CLE266" rev 0x03

Oops: I found the problem in my html page #10 - I left off the closing ">" in the <submit > tag. Problem solved.

I copied perl into my chroot and run CGIs there.