"Fossies" - the Fresh Open Source Software Archive 
Member "cgiwrap-4.1/htdocs/install.html" (16 Jun 2008, 14374 Bytes) of package /linux/www/old/cgiwrap-4.1.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) HTML source code syntax highlighting (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
1 <TITLE>CGIWrap - Installation Instructions</TITLE>
2 <CENTER><H2>CGIWrap - Installation Instructions</H2></CENTER>
3 <HR><P>
4
5 There are two sets of installation instructions here. The basic ones I use,
6 and a real-world example config contributed by Piotr Klaban below.
7 <P>
8
9 <H3>Quick Installation</H3>
10 <DL>
11 <P><DT>Look at the <A HREF="notes.html">notes</A> to see if
12 there are any hints for your platform.
13
14 <P><DT>Issue "./configure --help" to find out the various
15 configuration options. You will need to specify some of them. At
16 the very least, you will want to specify "--with-httpd-user=USERID".
17
18 <P><DT>Type "./configure <options>" with whatever options you need..
19
20 <P><DT>Type "make"
21
22 <P><DT>If you specified the installation directory in the
23 options, you can type "make install" to do all the following steps.
24
25 <P><DT>Copy cgiwrap executable to your servers cgi-bin directory
26
27 <P><DT>Make cgiwrap owned by root, executable by all, and setuid.
28 (<B>Note:</B> This step must be performed while logged in as "<TT>root</TT>"</B>)
29 <P>
30 <DD>chown root cgiwrap
31 <DD>chmod 4755 cgiwrap
32
33 <P><DT>Hardlink or symlink nph-cgiwrap, nph-cgiwrapd, cgiwrapd to
34 cgiwrap in the cgi-bin directory.
35 <P>
36 <DD>ln [-s] cgiwrap cgiwrapd
37 <DD>ln [-s] cgiwrap nph-cgiwrap
38 <DD>ln [-s] cgiwrap nph-cgiwrapd
39
40 <P><DT>You can, if you wish, install it with less permissive permissions. (Eg.
41 4750) But if you do this, make sure that the group of cgiwrap is the same
42 as the group that the server runs as.
43
44 <P><DT>*VERY IMPORTANT* - Do NOT allow any non-trusted user to run
45 scripts directly out of the main cgi-bin directory, as this will allow them to use
46 cgiwrap to run any of the other users scripts. The reason for this is that
47 if they can run scripts as the same userid as the web server, they can
48 subvert some of cgiwrap's security checks to allow them to run other users
49 scripts. I recommend not running ANY scripts on the web server directly, once
50 you have cgiwrap installed.
51
52 </DL>
53
54 <P>
55 <H3>Configuration Options</H3>
56 <P>
57 The following are options available with the 'configure' command.
58 Items in boldface are highly recommended. Defaults can be seen by issuing
59 './configure --help' or by looking at the 'config.h' file after you have
60 run 'configure'.
61 <P>
62 At an absolute minimum, you will probably want to specify the
63 '--with-install-dir' and '--with-httpd-user' options.
64
65 <P><DL>
66 <DT>--with-perl=PATH
67 <DD>path to perl executable to use
68
69 <DT>--with-local-contact-name=NAME
70 <DD>Specify the name of the local contact
71
72 <DT><B>--with-local-contact-email</B>
73 <DD>Specify the local contact's email address
74
75 <DT>--with-local-contact-phone
76 <DD>Specify the local contact's phone number
77
78 <DT>--with-local-contact-url
79 <DD>Specify a URL for the local contact
80
81 <DT>--with-local-site-url
82 <DD>Specify a URL for this site
83
84 <DT><B>--with-local-doc-url</B>
85 <DD>Specify a URL for a local copy of the cgiwrap docs
86
87 <DT>--with-wall
88 <DD>Add the '-Wall' option for compilation with gcc, this is intended
89 primarily for development debugging.
90
91 <DT>--with-install-group=GROUP
92 <DD>group to install cgiwrap as
93
94 <DT><B>--with-install-dir=PATH</B>
95 <DD>path to installation directory - this should be the path to your
96 server's cgi-bin directory
97
98 <DT>--with-cgi-dir=PATH
99 <DD>path relative to home dir for cgi scripts
100
101 <DT><B>--with-multiuser-cgi-dir=PATH</B>
102 <DD>define a central cgi script directory that is searched if the script
103 is not found in a user directory. This can be used to make a single script
104 available that will run as any user, however, this can be very dangerous
105 if you're not extremely careful designing your script. Do not enable
106 this unless you know what you're doing. It is not needed for normal usage.
107
108 <DT><B>--with-httpd-user=USER</B>
109 <DD>define what userid the web server is running as - this is required
110
111 <DT>--without-check-httpd-user
112 <DD>don't check to make sure cgiwrap is being run by server userid -
113 this is not recommended
114
115 <DT>--without-check-owner
116 <DD>disable check for matching owner
117
118 <DT>--without-check-group
119 <DD>disable check for matching group
120
121 <DT>--without-check-setuid
122 <DD>disable check for setuid script
123
124 <DT>--without-check-setgid
125 <DD>disable check for setgid script
126
127 <DT>--without-check-group-writable
128 <DD>disable check for group writable script
129
130 <DT>--without-check-world-writable
131 <DD>disable check for world writable script
132
133 <DT>--without-check-symlink
134 <DD>disable check for symlinked script
135
136 <DT>--with-check-shell
137 <DD>enable check for a valid user shell
138
139 <DT>--with-require-redirect-url
140 <DD>require that REDIRECT_URL be set in calling environment
141
142 <DT>--with-chroot=PATH
143 <DD>chroots script to PATH prior to script execution, requires
144 specific environment to be set up. See <A HREF="chroot.html">chroot docs</A>
145 for more details.
146
147 <DT>--with-minimum-uid=UID
148 <D>set the minimum uid of user that can use cgiwrap, defaults to 100
149
150 <DT>--with-minimum-gid=GID
151 <D>set the minimum gid or aux gid of user that can use cgiwrap - not enabled by default
152
153 <DT>--with-logging-syslog=LABEL
154 <DD>enable logging script execution to syslog
155
156 <DT>--with-logging-file=FILE
157 <DD>enable logging script execution to file
158
159 <DT>--without-script-subdirs
160 <DD>prevent users from storing scripts in subdirs
161
162 <DT>--without-redirect-stderr
163 <DD>don't redirect stderr to stdout in scripts
164
165 <DT>--without-initgroups
166 <DD>disable use of initgroups() to clear non-userid auxilliary groups
167
168 <DT>--without-setgroups
169 <DD>disable use of setgroups() to add userid's auxilliary groups
170
171 <DT>--with-rewrite=FILE
172 <DD>use a file to rewrite user directories
173
174 <DT>--with-setenv-path=STRING
175 <DD>set PATH environment variable to STRING
176
177 <DT>--with-setenv-tz=STRING
178 <DD>set TZ environment variable to STRING
179
180 <DT>--with-rlimit-cpu=SECONDS
181 <DD>limit cpu time with setrlimit
182
183 <DT>--with-rlimit-vmem=BYTES
184 <DD>limit total virtual memory with setrlimit
185
186 <DT>--with-rlimit-as=BYTES
187 <DD>limit total available memory with setrlimit
188
189 <DT>--with-rlimit-fsize=BYTES
190 <DD>limit writable file size with setrlimit
191
192 <DT>--with-rlimit-data=BYTES
193 <DD>limit data segment size with setrlimit
194
195 <DT>--with-rlimit-stack=BYTES
196 <DD>limit stack segment size with setrlimit
197
198 <DT>--with-rlimit-core=BYTES
199 <DD>limit core file size with setrlimit
200
201 <DT>--with-rlimit-rss=BYTES
202 <DD>limit resident set size with setrlimit
203
204 <DT>--with-rlimit-nproc=COUNT
205 <DD>limit number of processes with setrlimit
206
207 <DT>--with-rlimit-nofile=COUNT
208 <DD>limit number of open files with setrlimit
209
210 <DT>--with-rlimit-memlock=BYTES
211 <DD>limit lockable memory with setrlimit
212
213 <DT>--with-allow-file=FILE
214 <DD>limit cgiwrap usage
215
216 <DT>--with-deny-file=FILE
217 <DD>limit cgiwrap usage
218
219 <DT>--with-vhost-allow-dir=DIR
220 <DD>limit cgiwrap usage specific to each vhost, to restrict UnixTools.ORG, you would create the access file '<TT>DIR/unixtools.org</TT>'.
221
222 <DT>--with-vhost-deny-dir=DIR
223 <DD>limit cgiwrap usage specific to each vhost
224
225 <DT>--with-host-checking
226 <DD>allow specifying hosts in allow/deny files
227
228 <DT>--with-afs=DIR
229 <DD>enable afs setpag() support
230 </DL>
231
232 <P><HR>
233 <H3>Password Protected Installation</H3>
234 <P>
235
236 The following are pecial additional instructions for installing a copy of
237 cgiwrap that allows users to create access controlled scripts. For this to
238 work, you will need to have a single common password file that will be
239 used by all authenticated scripts.
240
241 <DL>
242 <P><DT>Re run configure, specify "public_html/auth-cgi-bin" instead of
243 "public_html/cgi-bin" for the cgi directory.
244
245 <P><DT>Type make.
246
247 <P><DT>Create a new server cgi-bin directory called "auth-cgi-bin", and
248 install this new copy of cgiwrap into that directory the same way you installed
249 it into the cgi-bin directory. (4 copies, and set permissions). You will
250 now be able to use the url: http://server/auth-cgi-bin/cgiwrap...
251
252 <P><DT>To enable access control, place a .htaccess or equivalent file in
253 the auth-cgi-bin directory where cgiwrap is located, that requires
254 authentication to get at any file in that directory, but will allow any
255 valid user to get through.
256
257 <P><DT>Now, your users can simply check: 1. That their script was
258 executed by them (eg. check the real uid of the script to make sure someone else
259 wasn't running it by hand) 2. That the REMOTE_USER environment variable
260 contains a user name that they want to allow to access the script.
261
262 </DL>
263
264
265
266 <P><HR>
267 <H3>Supplementary Configuration</H3>
268 <P>
269 If you enabled the access file checking, you need to make sure and create
270 the necessary files.
271 <P>
272 If you enabled the user directory rewriting feature, you need to create
273 the configuration file that you specified in the configure run.
274
275 <P>
276 <HR>
277 <PRE>
278 Here is the real-world example, for those who have problems
279 with cgiwrap installing.
280
281 Assumptions:
282
283 A. I use cgi-bin/ for global cgi scripts, you may choose /cgi-sys/ instead.
284 B. I have installed apache in /usr/local/apache/ directory, you may have
285 it in different location (/etc/httpd/ etc.)
286 C. I use WWW as a user web directory ('UserDir WWW' Apache directive),
287 you may choose public_html if you wish.
288 D. I allow users place .cgi and .php scripts everywhere under the WWW/ directory
289 (--with-cgi-dir=WWW cgiwrap configuration option), you may choose another method.
290 E. I have system-wide html pages in /usr/local/apache/WWW/HTML
291 ('DocumentRoot /usr/local/apache/WWW/HTML' apache directive)
292 and system-wide cgi-bin/ directory in /usr/local/apache/WWW/cgi-bin/
293 ('ScriptAlias' apache directive)
294
295 Make sure you have installed php, that you can run it from the command line,
296 and you see the '--enable-discard-path' configuration option in the output
297 of the following command:
298 % php -i | grep configure
299 If not, then before/after installing cgiwrap, install php as a normal program
300 with the configuration option: --enable-discard-path
301
302 cgiwrap install procedure:
303
304 1. download and unpack cgiwrap archive
305
306 % wget http://telia.dl.sourceforge.net/sourceforge/cgiwrap/cgiwrap-3.8.tar.gz
307 % gtar zxvf cgiwrap-3.8.tar.gz
308 % cd cgiwrap-3.8
309
310 2. configure it:
311
312 Replace:
313 - /usr/local/bin/php with /usr/bin/php or other location of your php program
314 - WWW (in --with-cgi-dir=WWW) with public_html i.e. your users web directory
315 - /usr/local/apache/WWW/cgi-bin with /home/httpd/cgi-sys if you use such a value
316 for ScriptAlias
317 - admin@man.torun.pl with YOUR contact address
318 - www (in --with-httpd-user=www) with apache if you run web server as 'apache' user
319
320 ./configure --with-check-shell --with-rlimit-core=0 --with-rlimit-cpu=60 \
321 --without-redirect-stderr --without-logging-file --with-perl=/usr/bin/perl \
322 --with-httpd-user=www --with-cgi-dir=WWW \
323 --with-install-dir=/usr/local/apache/WWW/cgi-bin --with-wall \
324 --with-local-contact-email=admin@man.torun.pl --with-php=/usr/local/bin/php \
325 --with-php-interpreter
326
327 # wait ...
328 # wait more until configure checks everything
329
330 3. run make
331
332 % make
333
334 That should output:
335
336 gcc -c -Wall -g -O2 -I. -I. debug.c
337 gcc -c -Wall -g -O2 -I. -I. util.c
338 util.c: In function `CheckUser':
339 util.c:370: warning: suggest parentheses around assignment used as truth value
340 util.c: In function `UserInFile':
341 util.c:1088: warning: subscript has type `char'
342 util.c:1096: warning: subscript has type `char'
343 gcc -c -Wall -g -O2 -I. -I. fetch.c
344 gcc -c -Wall -g -O2 -I. -I. stdutil.c
345 gcc -c -Wall -g -O2 -I. -I. msgs.c
346 gcc -o cgiwrap cgiwrap.o debug.o util.o fetch.o stdutil.o msgs.o
347
348 4. install with 'make install':
349
350 % make install
351
352 That would be executed (make install -n):
353
354 rm -f /usr/local/apache/WWW/cgi-bin/cgiwrap
355 rm -f /usr/local/apache/WWW/cgi-bin/cgiwrapd
356 rm -f /usr/local/apache/WWW/cgi-bin/nph-cgiwrap
357 rm -f /usr/local/apache/WWW/cgi-bin/nph-cgiwrapd
358 # rm -f /usr/local/apache/WWW/cgi-bin/php-cgiwrap
359 # rm -f /usr/local/apache/WWW/cgi-bin/php-cgiwrapd
360 cp cgiwrap /usr/local/apache/WWW/cgi-bin/cgiwrap
361 chown root /usr/local/apache/WWW/cgi-bin/cgiwrap
362 chgrp root /usr/local/apache/WWW/cgi-bin/cgiwrap
363 chmod 4755 /usr/local/apache/WWW/cgi-bin/cgiwrap
364 ln /usr/local/apache/WWW/cgi-bin/cgiwrap /usr/local/apache/WWW/cgi-bin/cgiwrapd
365 ln /usr/local/apache/WWW/cgi-bin/cgiwrap /usr/local/apache/WWW/cgi-bin/nph-cgiwrap
366 ln /usr/local/apache/WWW/cgi-bin/cgiwrap /usr/local/apache/WWW/cgi-bin/nph-cgiwrapd
367 # ln /usr/local/apache/WWW/cgi-bin/cgiwrap /usr/local/apache/WWW/cgi-bin/php-cgiwrap
368 # ln /usr/local/apache/WWW/cgi-bin/cgiwrap /usr/local/apache/WWW/cgi-bin/php-cgiwrapd
369
370 Then you see you have cgiwrap in the /usr/local/apache/WWW/cgi-bin/
371 directory.
372
373 5. Now configure Apache:
374
375 % cd /usr/local/apache/conf (on linux: % cd /etc/httpd/conf/)
376 % vim httpd.conf (or % pico httpd.conf)
377
378 5a) add these lines to global directives:
379
380 # change /usr/local/apache/WWW/cgi-bin/ to YOUR /cgi-bin/ real path
381 ScriptAlias /cgi-bin/ "/usr/local/apache/WWW/cgi-bin/"
382
383 AddHandler cgi-wrapper .php
384 AddHandler cgi-wrapper .cgi
385 Action cgi-wrapper /cgi-bin/cgiwrap
386
387 5b) do not run cgiwrap on .cgi scripts in the global /cgi-bin/ directory:
388
389 <Directory /usr/local/apache/WWW/cgi-bin>
390 AllowOverride None
391 Options None
392 AddHandler cgi-script .cgi
393 </DIrectory>
394
395 5c) I have a phpMyAdmin installed in /user/local/apache/WWW/HTML/phpMyAdmin/,
396 and I want it to be run as a 'www' user from the <home of www>/WWW/HTML/ directory
397
398 <Location /phpMyAdmin/*>
399 Action cgi-wrapper /cgi-bin/cgiwrap/www/HTML
400 </Location>
401
402 5d) I have some Virtual Domains defined. Every user can have its own
403 virtual domain. I want .cgi and .php scripts to be run as a specified user
404 ('makler' in this situation):
405
406 <VirtualHost *>
407 ServerAdmin info@klaban.torun.pl
408 DocumentRoot /home/[... home directory/WWW here ...]/makler/WWW
409 ServerName www.klaban.torun.pl
410 ErrorLog logs/klaban_error_log
411 CustomLog logs/klaban_access_log combined
412 Action cgi-wrapper /cgi-bin/cgiwrap/makler
413
414 # [... other configuration stuff discarded ...]
415
416 </VirtualHost>
417
418 6. Test your configuration before Apache reload (you may use /etc/init.d/httpd
419 instead of ~www/bin/apachectl):
420
421 % ~www/bin/apachectl configtest
422 Syntax OK
423
424 7. Reload apache web server:
425
426 % ~www/bin/apachectl stop # (or: ~www/bin/apachectl restart)
427 % ~www/bin/apachectl start
428
429 8. Test if the simple php script is executed OK:
430
431 8a) create php script - your php scripts should be owned by the user, not root:
432
433 % su makler
434 % echo '<?php echo "php is OK<br>\n"; ?> HTML too' > ~makler/WWW/test-php.php
435
436 8b) point your web browser to: http://www.klaban.torun.pl/test-php.php
437
438 Now you should see:
439 php is OK
440 HTML too
441
442 --
443 Piotr Klaban
444