You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by "JupiterHost.Net" <ml...@jupiterhost.net> on 2004/04/29 23:26:00 UTC

mod_perl File Extension Configuration instead of a Path Configuration

Hello group!

Super mod_perl newbie here :)

I was wondering if its possible to setup mod_perl in httpd.conf with a
File Extension Configuration instead of a Path Configuration.

IE - everything with the .mpl extension is run under mod_perl instead of 
everything in /perl/ being run under mod_perl...
Something like:
     AddHandler mod_perl-script .mpl

If it is possible what benefits/problems/issues would there be to think 
about vs a Path configuration?

Where might I find good documentation about how to do this and what 
issues you'd encounter/have to consider (I didn't see anything at 
perl.apache.org... which I'm sure is my fault ;p )?

TIA

Lee.M - JupiterHost.Net


-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: OT[maybe] IPC or broke:)

Posted by Perrin Harkins <pe...@elem.com>.

On Mon, 2004-05-03 at 13:23, dreamwvr@dreamwvr.com wrote:
> The thing is the program can take from 10 to like 60 seconds
> to complete results. 
> This means that:
> page never really loads since it is waiting for 
> results that take far too long to get. Just looking for 
> other opinions on handling this cleanly. 

This is a solved problem.  Either fork or use a queue.  Randal has a
column that shows the forking technique well:

http://www.stonehenge.com/merlyn/WebTechniques/col20.html

- Perrin


-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

OT[maybe] IPC or broke:)

Posted by "dreamwvr@dreamwvr.com" <dr...@dreamwvr.com>.

Hi,
  I have a handler that currently simply authenticates 
a user. Then once they are authenticated they are able to 
run a specific program with diff args living on the server. 

The thing is the program can take from 10 to like 60 seconds
to complete results. 
This means that:
page never really loads since it is waiting for 
results that take far too long to get. Just looking for 
other opinions on handling this cleanly. 

TIA,
dreamwvr@dreamwvr.com

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: mod_perl File Extension Configuration instead of a Path Configuration

Posted by petersm <pe...@venzia.com>.

If you want to do something like this ... every file ending in .pl is run as
an Apache::Registry (mod_perl 1) script you could do something like this in
your httpd.conf

[snip]

PerlModule Apache::Registry
AddHandler perl-script .mpl
PerlHandler Apache::Registry

[/snip]

This kind of setup is dangerous if you have users who can put .mpl scripts
anywhere inside of the document tree 'cause those scripts will run with the
same permissions that your own scripts run with. If you can control the whole
document tree it's not that bad. 

Michael Peters
Venzia

---------- Original Message -----------
From: "JupiterHost.Net" <ml...@jupiterhost.net>
To: modperl@perl.apache.org
Sent: Mon, 03 May 2004 10:31:56 -0500
Subject: Re: mod_perl File Extension Configuration instead of a Path Configuration

> Sorry to top post...
> 
> So is it (the subject/original email below) impossible then?
> 
> Or is it possible just not advisable?
> 
> TIA
> 
> JupiterHost.Net wrote:
> > Hello group!
> > 
> > Super mod_perl newbie here :)
> > 
> > I was wondering if its possible to setup mod_perl in httpd.conf with a
> > File Extension Configuration instead of a Path Configuration.
> > 
> > IE - everything with the .mpl extension is run under mod_perl instead of 
> > everything in /perl/ being run under mod_perl...
> > Something like:
> >     AddHandler mod_perl-script .mpl
> > 
> > If it is possible what benefits/problems/issues would there be to think 
> > about vs a Path configuration?
> > 
> > Where might I find good documentation about how to do this and what 
> > issues you'd encounter/have to consider (I didn't see anything at 
> > perl.apache.org... which I'm sure is my fault ;p )?
> > 
> > TIA
> > 
> > Lee.M - JupiterHost.Net
> > 
> > 
> 
> -- 
> Report problems: http://perl.apache.org/bugs/
> Mail list info: http://perl.apache.org/maillist/modperl.html
> List etiquette: http://perl.apache.org/maillist/email-etiquette.html
------- End of Original Message -------


-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: mod_perl File Extension Configuration instead of a Path Configuration

Posted by "JupiterHost.Net" <ml...@jupiterhost.net>.


DJ wrote:
> I dont know if this has been answered, since i deleted my email but the 
> answer is:
> 
> <Files *.mpl>
>    SetHandler perl-script
>    PerlHandler Your::Module
> </Files>

Thanks DJ!

I did get this earlier:

  PerlModule Apache::Registry
  AddHandler perl-script .mpl
  PerlHandler Apache::Registry

so incorporating the 2 it would be:

  <Files *.mpl>
     SetHandler perl-script
     PerlHandler Apache::Registry
  </Files>

After mod_perl is built as a DSO in Apache?

Is either method more preferable?

I'd do either in the main config section or in an <IfModule mod_perl.c> 
section?

TIA
> 

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: mod_perl File Extension Configuration instead of a Path Configuration

Posted by "JupiterHost.Net" <ml...@jupiterhost.net>.


Perrin Harkins wrote:

> On Mon, 2004-05-03 at 17:24, JupiterHost.Net wrote:
> 
>>So if I did it the .mpl way then /usr/foo/bar.mpl and /usr/foo/baz.mpl 
>>will run as nobody (IE untrusted user with less privileges)
> 
> 
> If that's who your server runs as, then yes.  The "nobody" user has the
> same privileges as any other user the systems I'm familiar with.  That
> user typically has no login, but may have permission to write to certain
> directories, etc.

cool, gotcha

>>(Regular .pl scripts currently run under suexec which I know mod_perl 
>>can't do since you can't split up a single process like that, will that 
>>hiinder mod_perl from running?)
> 
> 
> I'm not sure what you're asking.  If you add something to your conf to
> make all of your .pl scripts run through mod_perl, they won't run
> through suexec anymore.  You would have to keep them as CGI for that to
> work.  If you set it up to run some directories through CGI and some
> through mod_perl, that will work fine.

That's it exactly :)
If .pl run as regular scripts under suexec they'll be run as 'foo' 
instead of 'nobody' but any mod_perl scripts will be run as 'nobody'
but neither will break the other...


>>Which is just as [in]secure as /home/foo/bar.pl , 
>>/home/foo/stuff/baz.sh, /home/foo/public_html/luz.py, correct?
> 
> 
> Running them under mod_perl is less secure in the sense that anyone can
> write a script that messes around with globals, redefines core perl
> fuctions, etc. and messes up other people's scripts, since they are all
> running in the same interpreter.  You really should not run untrusted
> code under mod_perl without isolating it to its own apache server.

I see, perhaps I need to look into setting it up to run theri own 
mod_perl apache so they can shoot them self in the foot instead of others :)

>>(Maybe more secure since 'nobody' has less privs than 'foo', correct?)
> 
> 
> Again, "nobody" is just another user.
> 
> - Perrin

Thanks for the great info!

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: mod_perl File Extension Configuration instead of a Path Configuration

Posted by Perrin Harkins <pe...@elem.com>.

On Mon, 2004-05-03 at 17:24, JupiterHost.Net wrote:
> So if I did it the .mpl way then /usr/foo/bar.mpl and /usr/foo/baz.mpl 
> will run as nobody (IE untrusted user with less privileges)

If that's who your server runs as, then yes.  The "nobody" user has the
same privileges as any other user the systems I'm familiar with.  That
user typically has no login, but may have permission to write to certain
directories, etc.

> (Regular .pl scripts currently run under suexec which I know mod_perl 
> can't do since you can't split up a single process like that, will that 
> hiinder mod_perl from running?)

I'm not sure what you're asking.  If you add something to your conf to
make all of your .pl scripts run through mod_perl, they won't run
through suexec anymore.  You would have to keep them as CGI for that to
work.  If you set it up to run some directories through CGI and some
through mod_perl, that will work fine.

> Which is just as [in]secure as /home/foo/bar.pl , 
> /home/foo/stuff/baz.sh, /home/foo/public_html/luz.py, correct?

Running them under mod_perl is less secure in the sense that anyone can
write a script that messes around with globals, redefines core perl
fuctions, etc. and messes up other people's scripts, since they are all
running in the same interpreter.  You really should not run untrusted
code under mod_perl without isolating it to its own apache server.

> (Maybe more secure since 'nobody' has less privs than 'foo', correct?)

Again, "nobody" is just another user.

- Perrin

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: mod_perl File Extension Configuration instead of a Path Configuration

Posted by "JupiterHost.Net" <ml...@jupiterhost.net>.

Thanks for your input! I really appreciate it!

Perrin Harkins wrote:
> On Mon, 2004-05-03 at 12:39, JupiterHost.Net wrote:
> 
>>IE: it would be just as dangerouse as running a regular perl or shell or 
>>OTHER_LANGUAGE_HERE script in their home dir, correct?
> 
> [...]
> 
>>mod_perl scripts are run with the permissions of the user correct?
>>IE if Apache its 'nobody' or otherwsie (getpwuid($>))[0]
> 
> 
> No, when you run things with mod_perl, they run in the apache server
> process.  They will always have the same permissions as the apache

So if I did it the .mpl way then /usr/foo/bar.mpl and /usr/foo/baz.mpl 
will run as nobody (IE untrusted user with less privileges)

(Regular .pl scripts currently run under suexec which I know mod_perl 
can't do since you can't split up a single process like that, will that 
hiinder mod_perl from running?)

Which is just as [in]secure as /home/foo/bar.pl , 
/home/foo/stuff/baz.sh, /home/foo/public_html/luz.py, correct?

(Maybe more secure since 'nobody' has less privs than 'foo', correct?)

> server.  It is not safe to run untrusted scripts under mod_perl.  (There
> is all kinds of hand-waving about using Safe or something, but the only
> thing I would trust is an entirely separate server running as an
> unprivileged user.)
> 
> More info on configuration options is available here:
> http://perl.apache.org/docs/1.0/guide/config.html

I'll definately take a look thanks!

> If you want to just run .pl scripts under specific directories through
> mod_perl, the docs there will tell you how (using a <FilesMatch>
> directive).

Oh, good idea! then I can limit it to cgi-bin and .mpl... hmmmm excellent :)

> - Perrin 

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: mod_perl File Extension Configuration instead of a Path Configuration

Posted by Perrin Harkins <pe...@elem.com>.

On Mon, 2004-05-03 at 12:39, JupiterHost.Net wrote:
> IE: it would be just as dangerouse as running a regular perl or shell or 
> OTHER_LANGUAGE_HERE script in their home dir, correct?
[...]
> mod_perl scripts are run with the permissions of the user correct?
> IE if Apache its 'nobody' or otherwsie (getpwuid($>))[0]

No, when you run things with mod_perl, they run in the apache server
process.  They will always have the same permissions as the apache
server.  It is not safe to run untrusted scripts under mod_perl.  (There
is all kinds of hand-waving about using Safe or something, but the only
thing I would trust is an entirely separate server running as an
unprivileged user.)

More info on configuration options is available here:
http://perl.apache.org/docs/1.0/guide/config.html

If you want to just run .pl scripts under specific directories through
mod_perl, the docs there will tell you how (using a <FilesMatch>
directive).

- Perrin

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: mod_perl File Extension Configuration instead of a Path Configuration

Posted by "JupiterHost.Net" <ml...@jupiterhost.net>.


petersm wrote:

> If you want to do something like this ... every file ending in .pl is run as
> an Apache::Registry (mod_perl 1) script you could do something like this in
> your httpd.conf
> 
> [snip]
> 
> PerlModule Apache::Registry
> AddHandler perl-script .mpl
> PerlHandler Apache::Registry
> 
> [/snip]

Excellent thanks!

> This kind of setup is dangerous if you have users who can put .mpl scripts
> anywhere inside of the document tree 'cause those scripts will run with the

If they only have access to /home/user it would be cool right?
IE: it would be just as dangerouse as running a regular perl or shell or 
OTHER_LANGUAGE_HERE script in their home dir, correct?

> same permissions that your own scripts run with. If you can control the whole
> document tree it's not that bad. 

mod_perl scripts are run with the permissions of the user correct?
IE if Apache its 'nobody' or otherwsie (getpwuid($>))[0]

> Michael Peters
> Venzia
> 
> ---------- Original Message -----------
> From: "JupiterHost.Net" <ml...@jupiterhost.net>
> To: modperl@perl.apache.org
> Sent: Mon, 03 May 2004 10:31:56 -0500
> Subject: Re: mod_perl File Extension Configuration instead of a Path Configuration
> 
> 
>>Sorry to top post...
>>
>>So is it (the subject/original email below) impossible then?
>>
>>Or is it possible just not advisable?
>>
>>TIA
>>
>>JupiterHost.Net wrote:
>>
>>>Hello group!
>>>
>>>Super mod_perl newbie here :)
>>>
>>>I was wondering if its possible to setup mod_perl in httpd.conf with a
>>>File Extension Configuration instead of a Path Configuration.
>>>
>>>IE - everything with the .mpl extension is run under mod_perl instead of 
>>>everything in /perl/ being run under mod_perl...
>>>Something like:
>>>    AddHandler mod_perl-script .mpl
>>>
>>>If it is possible what benefits/problems/issues would there be to think 
>>>about vs a Path configuration?
>>>
>>>Where might I find good documentation about how to do this and what 
>>>issues you'd encounter/have to consider (I didn't see anything at 
>>>perl.apache.org... which I'm sure is my fault ;p )?
>>>
>>>TIA
>>>
>>>Lee.M - JupiterHost.Net
>>>
>>>
>>
>>-- 
>>Report problems: http://perl.apache.org/bugs/
>>Mail list info: http://perl.apache.org/maillist/modperl.html
>>List etiquette: http://perl.apache.org/maillist/email-etiquette.html
> 
> ------- End of Original Message -------
> 
> 
> 
> 

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: mod_perl File Extension Configuration instead of a Path Configuration

Posted by "JupiterHost.Net" <ml...@jupiterhost.net>.

Sorry to top post...

So is it (the subject/original email below) impossible then?

Or is it possible just not advisable?

TIA

JupiterHost.Net wrote:
> Hello group!
> 
> Super mod_perl newbie here :)
> 
> I was wondering if its possible to setup mod_perl in httpd.conf with a
> File Extension Configuration instead of a Path Configuration.
> 
> IE - everything with the .mpl extension is run under mod_perl instead of 
> everything in /perl/ being run under mod_perl...
> Something like:
>     AddHandler mod_perl-script .mpl
> 
> If it is possible what benefits/problems/issues would there be to think 
> about vs a Path configuration?
> 
> Where might I find good documentation about how to do this and what 
> issues you'd encounter/have to consider (I didn't see anything at 
> perl.apache.org... which I'm sure is my fault ;p )?
> 
> TIA
> 
> Lee.M - JupiterHost.Net
> 
> 

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html