[英]Cgi-bin script to cat a file owned by a user
I'm using Ubuntu server and I have a cgi-bin script doing the following . 我正在使用Ubuntu服务器,并且有一个执行以下操作的cgi-bin脚本。 .
。 .
。
#!/bin/bash
echo Content-type: text/plain
echo ""
cat /home/user/.program/logs/file.log | tail -400 | col -b > /tmp/o.txt
cat /tmp/o.txt
Now if I run this script with I am "su" the script fills o.txt and then the host.com/cgi-bin/script runs but only shows up to the point I last ran it from the CLI 现在,如果我以“ su”身份运行此脚本,则该脚本将填充o.txt,然后host.com/cgi-bin/script会运行,但只会显示到我上一次从CLI运行该脚本的那一点
My apache error log is showing "permission denied" errors. 我的Apache错误日志显示“权限被拒绝”错误。 So I know the user apache is running under somehow cannot cat this file.
所以我知道用户apache在某种程度上无法运行。 I tried using chown to no avail.
我尝试使用chown无济于事。 Since this file is in a user directory, what is the best way to either duplicate it or symbolic link it or what?
由于此文件位于用户目录中,因此最好的复制或符号链接方式是什么?
I even considered running the script as root in a crontab to sort of "update" the file in /tmp/ but that did not work for me. 我什至考虑在crontab中以根用户身份运行脚本,以“更新” / tmp /中的文件,但这对我不起作用。 How would somebody experienced with cgi-bin handle access to a file in a users directory?
熟悉cgi-bin的人将如何处理对用户目录中文件的访问?
The Apache user www-data
does not have write access to a temporary file owned by another user. Apache用户
www-data
对另一个用户拥有的临时文件没有写访问权。
But in this particular case, no temporary file is required. 但是在这种特殊情况下,不需要临时文件。
tail -n 400 logfile | col -b
However, if Apache is running in a restricted chroot
, it also has no access to /home
. 但是,如果Apache在受限制的
chroot
运行,则它也无权访问/home
。
The log file needs to be chmod o+r
and all directories leading down to it should be chmod o+x
. 日志文件必须为
chmod o+r
,所有指向该目录的目录都应为chmod o+x
。 Make sure you understand the implications of this! 确保您了解此含义! If the user has a reason to want to prevent access to an intermediate directory, having read access to the file itself will not suffice.
如果用户有理由要阻止对中间目录的访问,则对文件本身的读取访问权将不足。 (Making something have
www-data
as its group owner is possible in theory, but impractical and pointless, as anybody who finds the CGI script will have access to the file anyway.) (从理论上说,使某物具有
www-data
作为其组所有者是可能的,但是不切实际且毫无意义,因为找到CGI脚本的任何人都将始终可以访问该文件。)
More generally, if you do need a temporary file, the simple fix (not even workaround) is to generate a unique temporary file name, and remove it afterwards. 更一般而言,如果确实需要临时文件,则简单的解决方法(甚至不是解决方法)是生成唯一的临时文件名,然后将其删除。
temp=$(mktemp -t cgi.XXXXXXXX) || exit $?
trap 'rm -f "$temp"' 0
trap 'exit 127' 1 2 15
tail -n 400 logfile | col -b >"$temp"
The first trap
makes sure the file is removed when the script terminates. 第一个
trap
确保在脚本终止时删除文件。 The second makes sure the first trap
runs if the script is interrupted or killed. 第二个确保脚本被中断或杀死时,第一个
trap
运行。
I would be inclined to change the program that creates the log in the first place and write it to some place visible to Apache - maybe through symbolic links. 我倾向于更改首先创建日志的程序,并将其写入Apache可见的某个位置-也许通过符号链接。
For example: 例如:
ln -s /var/www/cgi-bin/logs /home/user/.program/logs
So your program continues to write to /home/user/.program/logs
but the data actually lands in /var/www/cgi-bin/logs
where Apache can read it. 因此,您的程序继续写入
/home/user/.program/logs
但是数据实际上位于Apache可以读取的/var/www/cgi-bin/logs
中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.