how to set permissions for python scripts in cgi-bin on backtrack 5 r3

[killa_cam]

I am trying to run a simple search engine that is written in python, javascript and html.

When i put them in the cgi-bin i get the 403 forbidden access error. I understand why this happens but I cant seem to find out how to change the permissions so that I can access them from the cgi-bin or where ever.Any help is appreciated.

[atreyu]

i was trying to run python and perl scripts through cgi and i cant seem to figure out how to set permissions or what public_html is,so I was wondering how you did it

Hi,

What distro are you using?

Have you made your CGI scripts executable? e.g.:

Code:

chmod +x /var/www/cgi-bin/test.cgi

What is your webserver? (Apache, Nginx, etc.)

The DocumentRoot dir (often /var/www or /var/www/html) needs to be readable/executable by all, e.g.:

Code:

# ls -ld /var/www/html
drwxr-xr-x 50 root root 4096 Jul 24 20:16 /var/www/html

Also, monitor your webserver log file, it will give you quick trouble-shooting feedback. The location of the log files depends on your webserver, and is usually defined in a the main config file (e.g., /etc/httpd/conf/httpd.conf). For example, the webserver error log file on my Fedora box is at /var/log/httpd/error_log.

[atreyu]

I am trying to run a simple search engine that is written in python, javascript and html.

When i put them in the cgi-bin i get the 403 forbidden access error. I understand why this happens but I cant seem to find out how to change the permissions so that I can access them from the cgi-bin or where ever.Any help is appreciated.

What does your webserver's log file tell you? It should spell out the problem pretty clearly.

[killa_cam]

I am running apache2 in backtrack 5 r3.In my var/log/apache2/error.log file it says:

Thu Sep 20 18:22:04 2012] [error] [client ::1] (13)Permission denied: access to /cgi-bin/search/search.html denied
[Thu Sep 20 18:22:04 2012] [error] [client ::1] File does not exist: /var/www/favicon.ico

[atreyu]

I am running apache2 in backtrack 5 r3.In my var/log/apache2/error.log file it says:

Thu Sep 20 18:22:04 2012] [error] [client ::1] (13)Permission denied: access to /cgi-bin/search/search.html denied
[Thu Sep 20 18:22:04 2012] [error] [client ::1] File does not exist: /var/www/favicon.ico

is the dir "/cgi-bin/search/" readable and executable by all? for example, if your cgi-bin dir is in /var/www, then you might try:

Code:

ls -ld /var/www/cgi-bin/search

which should yield something like:

Code:

drwxr-xr-x  2 root root 4096 Nov 15  2008 /var/www/cgi-bin/search

where you can see by the last r-x that it is readable and executable by all.

also check the permissions of the search.html file, it should be readable by all, e.g.:

Code:

# ls -l /var/www/cgi-bin/search/search.html
-rw-r--r--  1 root root 0 Sep 21 16:11 /var/www/cgi-bin/search/search.html

you can ignore the favicon error. or put one in /var/www to get rid of that error.

[killa_cam]

Ok, so for the first command (ls -ld /var/www/cgi-bin/search) i got


drwx------ 4 root root 4096 2012-09-18 23:12 /var/www/cgi-bin/search


And for the second one (ls -l /var/www/cgi-bin/search/search.html) i got


ls: cannot access /var/www/cgi-bin/search/search.html: No such file or directory


i then tried (ls -l /var/www/cgi-bin/search/search.html) and i got


total 64
-rwxrwxrwx 1 root root 11867 2007-12-04 22:49 license.txt
-rwxrwxrwx 1 root root 942 2012-09-09 07:49 Search.html
-rwxrwxrwx 1 root root 4539 2007-12-04 22:50 search.js
-rwxrwxrwx 1 root root 8645 2012-09-07 16:01 search.py
-rwxrwxrwx 1 root root 14583 2012-09-06 15:06 search.py.zip
-rwxrwxrwx 1 root root 203 2007-12-02 09:45 SearchResults.css
-rwxrwxrwx 1 root root 528 2007-12-02 09:42 SearchResults.html
drwx------ 3 root root 4096 2007-12-02 08:21 test


when i moved the cgi-bin which was oringinaly in /usr/lib/ to the /var/www/ and try to access localhost/cgi-bin/search/search.html on chrome i got


Not Found

localhost/cgi-bin/search/search.html was not found on this server.

Apache/2.2.14 (Ubuntu) Server at localhost Port 80

[atreyu]

Ok, so for the first command (ls -ld /var/www/cgi-bin/search) i got

drwx------ 4 root root 4096 2012-09-18 23:12 /var/www/cgi-bin/search

This prevents your webserver account (presumably "nobody" or "apache", or some other non-root account) from being able to see into this directory. You need to modify the permission, something like:

Code:

chmod 0755 /var/www/cgi-bin/search

for good measure, check the /var/www/cgi-bin dir, too. it should have similar perms.

And for the second one (ls -l /var/www/cgi-bin/search/search.html) i got

ls: cannot access /var/www/cgi-bin/search/search.html: No such file or directory

i then tried (ls -l /var/www/cgi-bin/search/search.html) and i got

Do you mean here that you tried "ls -l /var/www/cgi-bin/search/"?

total 64
-rwxrwxrwx 1 root root 11867 2007-12-04 22:49 license.txt
-rwxrwxrwx 1 root root 942 2012-09-09 07:49 Search.html
-rwxrwxrwx 1 root root 4539 2007-12-04 22:50 search.js
-rwxrwxrwx 1 root root 8645 2012-09-07 16:01 search.py
-rwxrwxrwx 1 root root 14583 2012-09-06 15:06 search.py.zip
-rwxrwxrwx 1 root root 203 2007-12-02 09:45 SearchResults.css
-rwxrwxrwx 1 root root 528 2007-12-02 09:42 SearchResults.html
drwx------ 3 root root 4096 2007-12-02 08:21 test

when i moved the cgi-bin which was oringinaly in /usr/lib/ to the /var/www/ and try to access localhost/cgi-bin/search/search.html on chrome i got

Not Found

localhost/cgi-bin/search/search.html was not found on this server.

There is no file named "search.html", based upon your directory listing above. The file "Search.html" is different - Linux is case-sensitive. If the Search.html is the file you want, the rename it to search.html, or simply call the url like this:

http://localhost/cgi-bin/search/Search.html

You can also put an .htaccess file in the cgi-bin/search dir, to force a certain file to be your default index file, but leave that for later.

Also, it is important that you know that /var/www/cgi-bin is the CGI directory on your system. i'm pretty sure that is correct for Ubuntu, but you may want to check the httpd.conf apache config file. If you are looking at the apache error_log, that will help you, too.

[killa_cam]

i changed the permissions for the /var/www/cgi-bin/ and for the /var/www/cgi-bin/search/ to 0755 and when i called

"localhost/cgi-bin/search/Search.html"

I got the 404 not found error. I also got the 404 error when i searched "localhost/cgi-bin/" And yes i did mean to write "ls -l /var/www/cgi-bin/search/"

when I looked in the httpd.conf file which is located in /etc/apache2/ it was a blank document. Then i found httpd.conf in the /pentest/fuzzers/rfuzz/gems/mongrel-1.1.5/examples and it said:

ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/

#"/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/apache2/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>

Im not sure if that helps but this httpd.conf is also located in /var/lib/gems/1.8/gems/mongrel-1.1.5/examples but seems to be the same document. Hope this helps.

[atreyu]

i'm not sure about those mongrel httpd files...are you using the default apache that came w/Backtrack? try looking in /etc/ for apache config files:

Code:

find /etc/ -type f -exec grep -H --color ScriptAlias {} \;

if you think /usr/local/apache2/cgi-bin might be legit, see if there are any CGI files in there, and if so, just try to access one via browser.

you definitely need to know which file is your apache config file, before you can successfully troubleshoot.

another thing i thought about: Search.html is probably not a cgi script. maybe search.py is, but you may just need to copy that stuff to your document root. i would know w/o seeing all of those files. keep it mind that you can also make any HTML accessible directory a CGI script directory, if your server is configured to allow the use of htaccess files.

[killa_cam]

sorry I havent replied in a while but i executed the command "find /etc/ -type f -exec grep -H --color ScriptAlias {} \;" and i got

/etc/apache2/sites-available/default-ssl: ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
/etc/apache2/sites-available/default: ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
/etc/apache2/mods-available/mime.conf:# To use CGI scripts outside of ScriptAliased directories:

I am using the default apache and I want to be able to execute these scripts


(\/\/ \/\/ \/\/.zackgrossbart.com/hackito/search-engine-python/).


I have all the files in a folder named "search." One thing I dont get is why when I start apache and go to "localhost/cgi-bin/search/Search.html" i get 404 error. But when i go to "localhost/" i get a "it works default page." i copied the search folder to root but still nothing. I found this website

(\/\/ \/\/ \/\/.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch20_:_The_Apache_Web_Server)

it might help
sorry about the "\/\/" i guess i cant post links yet.