You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Joe Terdiman <jf...@dor.kaiser.org> on 1999/07/09 18:02:50 UTC

os-solaris/4718: Ftp to a remote host does not work in a cgi script, if a .netrc file is installed.

>Number:         4718
>Category:       os-solaris
>Synopsis:       Ftp to a remote host does not work in a cgi script, if a .netrc file is installed.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Jul  9 09:10:00 PDT 1999
>Last-Modified:
>Originator:     jft@dor.kaiser.org
>Organization:
apache
>Release:        1.3
>Environment:
SunOS dor-ent1 5.5.1 Generic_103640-22 sun4u sparc SUNW,Ultra-Enterprise
>Description:
Assume Apache runs under Solaris on 'mylocalhost' with userid 'webserver' (the
user that invokes Apache server). There is a remote host called 'myremotehost' 
on which there is an account 'myuid', whose password on 'myremotehost' is 
'mypwd'. Then under Solaris, if user 'webserver' has a file called '.netrc' in
its home directory, '/home/webserver', with the following contents:

machine myremotehost login myuid password mypwd

user 'webserver' should be able to run ftp and login NON-INTERACTIVELY to
'myremotehost' as user 'myuid'. If I submit a form using Netscape 4.x that
executes a cgi script (written in Bourne shell script) that contains the ftp 
command, the script executes, but the ftp login fails. Error message from 
'myremotehost' when I stop the submission is:

Name(myremotehost: webserver) password missing from PASS 

"Name" and "PASS" are actually ftp commands and part of the INTERACTIVE ftp 
dialog that 'myremotehost' would generate if there were no '.netrc' file in
'/home/webserver' on 'mylocalhost'. (To test the script, if I run the same cgi 
script by logging into 'mylocalhost' as user 'webserver' and execute the script 
directly, instead of invoking the script from Netscape, I am now able to login 
to 'myremotehost' non-interactively and ftp files between 'mylocalhost' and
'myremotehost'.)
>How-To-Repeat:
You should be able to repeat this problem by running Netscape 4.x on a client
workstation and creating an HTML form that invokes a cgi script that contains
the ftp command, where the home directory of the Apache user 
(e.g., /home/webserver) contains the .netrc file described above.
>Fix:
Have you disabled this capability for security reasons? If so, it should be a
user selectable Apache configuration option. 
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]