Web Server and Perl

Question

Level 1

4 points

Web Server and Perl

Running 10.6.8 on a Mac Mini. I've been using Terminal to run perl scripts. I'd like to start testing web pages that contain perl locally in Safari. I enabled "Web Sharing" in OS X Preferences, put a perl script in the /Library/WebServer/CGI-Executables directory, set file permissions to 0755 and successfully executed the script in Safari. So far so good.

Here's where I am confused: I have no interest in sharing these files with anyone -- just me -- just for testing locally before uploading to a web server. But, when I set my script file permission to 0700 [which would normally allow only me to read, write or execute, which is what I need], the script returns a "500 Internal Server Error" which must be a permission problem, since it exceutes fine with a permission of 0755.

Can someone please help me understand how I can run perl scripts via web pages locally, without throwing open my doors to the world? Ideally, I'd like to keep Web Sharing off entirely, but I'd be happy to just set me-only file permissions. Perhaps I'm confused about how to establish the same user/group for the script, the directory, the browser, the server, etc. It's all a bit murky to me. Please help.

Thanks!

Mac mini, Mac OS X (10.6)

Posted on Mar 12, 2014 1:08 PM

Reply

Answer 1

Best reply

MrHoffman

Community+ 2024

Level 10

116,085 points

Mar 12, 2014 3:35 PM in response to karl_kaboom

Old-style 700 is also known as u=rwx,go=, which is still cryptic, but somewhat less cryptic than 700. That's user read-write-execute, group and other no access.

The web server is user www (or _www), and the www user has to access and read the web files, and has to be able to have execute access to the scripts.

If www can't access the files, they can't be successfully served.

There's no particular concept of allowing other folks access to a web script based on ownership or protections, as the folks accessing the files are on other hosts and don't have any group or user attributes that map to the local system; to the web server. Accordingly, you might see authentication happening with a web server authentication mechanism (passwords, certificates, etc), but typically not based on local file ownership or local file protections because — again — the local user that's accessing the web files is usually _www, and not somebody with a mapping into the local security.

Usual for these is setting up a virtual host or a private web server, and not communicating that with other folks. Alternatively, setting up password protections or other such security, using edits to Apache-specific configuration files.

Reply

Answer 2

karl_kaboom Author

Level 1

4 points

Mar 14, 2014 1:33 PM in response to MrHoffman

Hey MrHoffmann -- Thanks for your detailed help! I appreciate it very much. If you don't mind, I'd like to make sure I understand you correctly. I’m a novice on these issues. So, it sounds like you are saying that if I want to use Web Sharing to test perl scripts in Safari on my local machine, I must also allow others in remote locations "theoretical" access to those files, but if I don't share the web address that maps to my machine with anyone, there's no way for anyone to get access. Is that rigtht, or did I misinterpret?

So, that's one step in the right direction. But, hackers being hackers, isn't it still somehow possible that someone could "happen into" those files if the files are in Web Sharing? That scares me.

It sounds like you're saying that, to protect from that possibility, I'd have to use Apache tools to password protect the files. Is that right?

You mention alternatives such as a "virtual host" or "private web server". Would those options eliminate that small possibility of hackers wandering in? If so, can you give me a little info on what that entails?

It just seems counter-intuitive to me to open up any "sharing" scenario for any files that are intended for my own use. It seems counter-intuitive to have to password-protect any files on my private machine from worldwide access. I’m trying to understand how I can assure no possibility of unauthorized access.

Thanks again!

Reply

Answer 3

Mar 15, 2014 6:13 PM in response to karl_kaboom

This is the OS X Server forum — I'm inferring that you're running 10.6.8 client, and not 10.6.8 server — and it's typical to use Server.app (Lion and later) or Server Admin.app (Snow Leopard and earlier) to manage Apache and the virtual hosts with servers. With OS X client 10.6.8, you'll have to create and manage the virtual hosts manually, using the Apache configuration files — that's possible, but involves editing some Apache configuration files.

File protections are entirely system local. If the protections were directly extended, then I could establish user karl_kaboom on my systems, and have full access to your files. But your local files have to be accessible to Apache and the www (or _www) user on your local system, as that's the user that's serving those files to the web; either read-accessable, or with read and execute access for scripts.

There are ways to extend access controls across a network environment, and the Apache web server has mechanisms for authentication users, using web passwords or digital certificates or such, or variously occasionally more advanced mechanisms.

Using virtual hosts means that the remote accessor has to use the host name of the target virtual host, which means it's less likely for a random remote user to access a random web site — they have to have an entry in their local hosts file or in their local DNS, or be running a very unusual web browser to access a non-default virtual host. It's decent security and will probably discourage most folks, but not impenetrable. Using a password or a certificate is another option, though that'll require editing an Apache configuration file for the web directory. Here's the Apache authentication how-to.

If your system isn't accessible from outside your local network, then you're only going to have issues with random access to your web server from within your network. If you wander around among networks as is common with a laptop, then you'll generally not want to have a running web server when you're off your network — web sharing or full-on Apache via OS X Server — as that provides folks with more things to explore, and more things to attack.

In general, I'd suggest acquiring a book on Apache web services, or spending some time with the documentation over at the Apache web site. Here's the old 10.6 server manual for web services — you likely don't have server and probably don't want to deal with OS X Server here in general, but it might be an interesting read. With 10.6.8 client, you won't have access to various of those tools, and you'll be editing configuration files directly to establish the access controls you're seeking.

I'd also suggest upgrading from OS X 10.6.8 (whether client or server), as support and security updates have apparently ended for that, and the integrated tools are getting older.

Reply