You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by jonathan hudgins <jh...@thereinc.com> on 2003/10/03 22:24:02 UTC
[users@httpd] cgi spawning process to update registry
I have been trying to configure Apache so that it can be used as an interface
to do machine local stuff. As such I am unconcerned about security and am
only allowing contact as localhost.
I trigger cgi scripts, which start perl scripts. These scripts do a variety
of things (mostly using cygwin) such as cp, mkdir, msdev /make, and other
executables. So far all of these exe's run without a hitch, except when
makecert runs. Makecert fails because I do not have permissions to update
the registry.
Hmmmn...
Tried: scripts from command line -> works
Tried: examing apache source code for CreateProcess
Tried: looking for options that would make Apache "less-secure"
(didn't find any that looked promising).
Verified: no "user" specified
Looked at: http://httpd.apache.org/docs/misc/security_tips.html
didn't try: CGI-wrap
didn't try: suEXEC
Has anyone seen/worked-around this problem?
Does anyone know why my script is disallowed access from the registry?
Does anyone know if I should try suEXEC? CGI-wrap?
I am using Apache/1.3.26 on Windows 2000.
Attached is my httpd.conf if it might help.
Thanks,
Jonathan
Re: [users@httpd] cgi spawning process to update registry
Posted by jonathan hudgins <jh...@thereinc.com>.
On Fri, 3 Oct 2003, Brian Dessent wrote:
> jonathan hudgins wrote:
> >
> > I have been trying to configure Apache so that it can be used as an interface
> > to do machine local stuff. As such I am unconcerned about security and am
> > only allowing contact as localhost.
... but ...
> > Makecert fails because I do not have permissions to update
> > the registry.
>
> It all depends on what user context the process is running as. Did you
> start Apache as a service?
Actually I started apache from the command-line with args
"-f httpd.conf -X". This is the same command-line that I
run my script directly. Again, my script updates the registry
with no problem when I run it directly from the command-line
*but* fails to update the registry when I run it through
the apache that I started from my command-line.
> Is it running as SYSTEM or did you create an
> account for it? Whatever user accout it's running as will need rights
> to the registry.
I have looked at Apache in PView.exe (Process Explode, a
program included with MSDEV) and the user is myself -- and
I have full admin permissions.
I think this pretty much isolates the permission issue somewhere
inside Apache.
Thanks for helping,
Jonathan
> You can check this by running REGEDT32, selecting a
> hive or branch (most inherit from the root HKEY_LOCAL_MACHINE) and then
> selecting Security|Permissions from the menu. You should then make sure
> that the user that Apache is running as has write access to the keys
> you're trying to change.
>
> Brian
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] cgi spawning process to update registry
Posted by Brian Dessent <br...@dessent.net>.
jonathan hudgins wrote:
>
> I have been trying to configure Apache so that it can be used as an interface
> to do machine local stuff. As such I am unconcerned about security and am
> only allowing contact as localhost.
>
> I trigger cgi scripts, which start perl scripts. These scripts do a variety
> of things (mostly using cygwin) such as cp, mkdir, msdev /make, and other
> executables. So far all of these exe's run without a hitch, except when
> makecert runs. Makecert fails because I do not have permissions to update
> the registry.
>
> Hmmmn...
>
> Tried: scripts from command line -> works
> Tried: examing apache source code for CreateProcess
> Tried: looking for options that would make Apache "less-secure"
> (didn't find any that looked promising).
> Verified: no "user" specified
> Looked at: http://httpd.apache.org/docs/misc/security_tips.html
It all depends on what user context the process is running as. Did you
start Apache as a service? Is it running as SYSTEM or did you create an
account for it? Whatever user accout it's running as will need rights
to the registry. You can check this by running REGEDT32, selecting a
hive or branch (most inherit from the root HKEY_LOCAL_MACHINE) and then
selecting Security|Permissions from the menu. You should then make sure
that the user that Apache is running as has write access to the keys
you're trying to change.
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org