You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Joe Terdiman <jf...@dor.kaiser.org> on 1999/07/09 18:02:50 UTC
os-solaris/4718: Ftp to a remote host does not work in a cgi script, if a .netrc file is installed.
>Number: 4718
>Category: os-solaris
>Synopsis: Ftp to a remote host does not work in a cgi script, if a .netrc file is installed.
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Fri Jul 9 09:10:00 PDT 1999
>Last-Modified:
>Originator: jft@dor.kaiser.org
>Organization:
apache
>Release: 1.3
>Environment:
SunOS dor-ent1 5.5.1 Generic_103640-22 sun4u sparc SUNW,Ultra-Enterprise
>Description:
Assume Apache runs under Solaris on 'mylocalhost' with userid 'webserver' (the
user that invokes Apache server). There is a remote host called 'myremotehost'
on which there is an account 'myuid', whose password on 'myremotehost' is
'mypwd'. Then under Solaris, if user 'webserver' has a file called '.netrc' in
its home directory, '/home/webserver', with the following contents:
machine myremotehost login myuid password mypwd
user 'webserver' should be able to run ftp and login NON-INTERACTIVELY to
'myremotehost' as user 'myuid'. If I submit a form using Netscape 4.x that
executes a cgi script (written in Bourne shell script) that contains the ftp
command, the script executes, but the ftp login fails. Error message from
'myremotehost' when I stop the submission is:
Name(myremotehost: webserver) password missing from PASS
"Name" and "PASS" are actually ftp commands and part of the INTERACTIVE ftp
dialog that 'myremotehost' would generate if there were no '.netrc' file in
'/home/webserver' on 'mylocalhost'. (To test the script, if I run the same cgi
script by logging into 'mylocalhost' as user 'webserver' and execute the script
directly, instead of invoking the script from Netscape, I am now able to login
to 'myremotehost' non-interactively and ftp files between 'mylocalhost' and
'myremotehost'.)
>How-To-Repeat:
You should be able to repeat this problem by running Netscape 4.x on a client
workstation and creating an HTML form that invokes a cgi script that contains
the ftp command, where the home directory of the Apache user
(e.g., /home/webserver) contains the .netrc file described above.
>Fix:
Have you disabled this capability for security reasons? If so, it should be a
user selectable Apache configuration option.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]