Topic: 500 Internal Server Error

[alvy]

Hi,

My first installation of album.pl & aint getting any further than:
"500 Internal Server Error".
Tried url cgi-bin/album_test.pl, which returns only half of the output followed by:
"Insecure $ENV{PATH} while running setuid at /home/www/cgi-bin/album_test.pl line 92."
in apache's error.log (Running on Linux 2.4.27-1-686 Debian)

Now, if I try "..# perl album.pl > album.html" & view the same file in IE, there seem to be no problems. Looks like the correct first configuration page.
Neither do I see any problems in  "..# perl album_test.pl > album_test.html"

I run other cgi's, including webmail, no problems with them.
Any ideas? I'd love to get it running, looks like a cool album.

A.

[frister]

Liine 92 in album_test.pl is issuing the system call "which convert" to check for the presence of ImageMagick.

Your problem could stem from apache's configuration and the mode in which it runs, or it could also be that your perl is set up to enforce taint checking at all times

I'm not sure how exactly to resolve the problem. Maybe this article willl help: http://www-unix.mcs.anl.gov/~olson/perl/perl5.003_05-manual/perlsec.html

You could also try to change the first line of album.pl and album_test.pl from

Code: [Select]

#!/usr/bin/perl to

Code: [Select]

#!/usr/bin/perl --J.J.

[Mike Bobbitt]

Well, line 92 of album_test.pl does a system call to album.pl, so that doesn't give us much info... what do the web logs say when you run album.pl from the web?

Clearly it's an environment thing... Do you have more than 1 Perl interpreter on your system? Try running /usr/bin/perl album.pl at the command line to see if that changes anything...


Cheers
Mike

[alvy]

Weblog on running album.pl: "Premature end of script"
Yes, I noticed the call on line 92, but I'm very new to perl (I'm a VB-er) so not sure what it meant.
I can only find one Perl interpreter. v5.8.4

I did try changing #!/usr/bin/perl, -- & -w as mentioned before in the Forum. But no luck.

You gave me an idea though...and I don't know why I didn't try this before..
If I run
"..# usr/bin/perl album.pl" at the command line, but as the user apache runs under, not as root, I get:
"Insecure dependency in require while running setuid at /usr/share/perl/5.8/Carp.pm line 55."

Clearly a perl or apache issue, not album.pl

I'll go through the article you mentioned, it looks helpfull.
And I need to do some reading on setuid it seems.

Thanks for the help.

A.

[alvy]

Well.....

I got it to work by using "#!/usr/bin/perl -U", which means perl runs unrestricted.... obviously this doesn't fix the problem.

I've added the -U switch in album_test.pl, but not in album.pl & successfully called album_test.pl from my browser.

The last line of my album_test.pl output is :

Checking for album.pl output: perl /home/www/cgi-bin/album.pl... (*NIX systems only)
Insecure dependency in require while running setuid at /usr/share/perl/5.8/Carp.pm line 55. 

My webmail uses suidperl...do you think there could be a conflict between suidperl & setuid?
I've also been thinking of a PATH problem...& would like to verify if it was correct of me to put the cgi-bin folder in
/home/www/cgi-bin/
& the other files&Folders in
/home/www/admin/
which is my document-root.

I this wrong? Should all files&Folders reside under the same document-root? I presume not..

A.

[Mike Bobbitt]

Interesting...

Try editing album.pl and deleting (or better yet commenting out) this line:

Code: [Select]

# Show all script errors to the browser, for easier debugging
use CGI::Carp qw(fatalsToBrowser);
Cheers
Mike

[alvy]

Done,
album.pl still not working, last line of album_test.pl now shows:

Checking for album.pl output: perl /home/www/cgi-bin/album.pl... (*NIX systems only)
Insecure dependency in require while running setuid at /home/www/cgi-bin/album.pl line 8148.

hmmm, I'm starting to think that I'm missing out on some perl modules..
Does anyone know how I can see if setuid is installed (is it a program or a module ).

Thanks for the help.
A.

[Mike Bobbitt]

Usually you get a different message if you're missing Perl modules... However, line 8148 is a call to showConfig(), which is in album_admin.pm.

The permissions on all the .pm files and the Modules directory should be 755. If they're not, that could be causing the problem...

[alvy]

I've done a chmod -R 777 cgi-bin some time back, this was my first remedy to try fix the problem. As it usually is the first thing to try..

Please note that the user Apache runs as is www:users & all file ownerships are set to the same..Could this be a problem? Does the user www need any special system-rights I'm unaware off to be able to run album.pl?

I've noticed you have an upgrade. I'm currently running:
# $Id: album.pl,v 1.71 2004/09/13 15:25:39 bobbitt Exp $
I'll download your latest version of :
# $Id: album.pl,v 1.72 2004/09/22 01:10:32 bobbitt Exp $
& try again.


A.

[alvy]

The strangest thing:

When album.pl is run for the first time, it creates album.cfg, correct?
Why does it set root as it's owner, rather than www??

drwxrwxrwx  3 www  users   4096 Sep 27 08:50 .
drwxr-xr-x    8 www  users   4096 Sep 26 07:04 ..
drwxrwxrwx  2 www  users   4096 Sep 27 08:46 Modules
-rw-r--r--      1 root    users  28432 Sep 27 08:50 album.cfg
-rwxrwxrwx  1 www  users  28432 Sep 13 09:25 album.cfg.clean
-rwxrwxrwx  1 www  users  37049 Sep 13 08:55 album.html
-rwxrwxrwx  1 www  users 255947 Sep 21 19:10 album.pl

After this, album_test.pl shows:
Checking to see if "/home/www/cgi-bin/album.cfg" is writable...
FAIL

My apache runs under www :

# ps -ef |grep apache
root          960       1  0 Sep24 ?        00:00:00 /usr/sbin/apache
www       4444   960  0 Sep26 ?        00:00:00 /usr/sbin/apache
www       4445   960  0 Sep26 ?        00:00:00 /usr/sbin/apache
www       4446   960  0 Sep26 ?        00:00:00 /usr/sbin/apache
www       4447   960  0 Sep26 ?        00:00:00 /usr/sbin/apache
www       4448   960  0 Sep26 ?        00:00:00 /usr/sbin/apache
www       4600   960  0 Sep26 ?        00:00:00 /usr/sbin/apache
www       4865   960  0 Sep26 ?        00:00:00 /usr/sbin/apache
www       5237   960  0 Sep26 ?        00:00:00 /usr/sbin/apache
www       5243   960  0 Sep26 ?        00:00:00 /usr/sbin/apache

Could this be related to my problem?

PS, I've installed album 6.5, still same problem.

[alvy]

I cought the process of album.pl & look what I found:
#ps -eaf
root      7594  7515 17 09:28 ?        00:00:00 /usr/bin/perl -- /home/www/cgi-bin/album.pl

In fact, all my cgi scripts seem to run as root, shouldn't they be running as www:users?
Anybody any ideas on how to change this?

[Mike Bobbitt]

Yeah, edit httpd.conf and look for something like this:

Code: [Select]

User root
Group www
If it's running as root, that's very bad...

[alvy]

Uhu, I realize that! I can't figure it out. Apache is configured to run as www:users and does. In fact, even if Apache is configured to run as root, it would never start, as a security measure.
It must be Perl that's executing the scripts as root, not Apache.

Anyways, the album.pl installation on Redhat 9 worked fine, only too bad I can only use that box on my LAN.

A.

[Mike Bobbitt]

Ah, maybe your perl is SUID root or something...?

[alvy]

I haven't had time to spend on album.pl for a while.
But we had to upgrade SUIDPERL 2 days back and guess what.....album.pl started working!!!!
Oh, and my webmail stopped working....LOL.

Problem fixed though. It was suidperl.

Thanks for the support guys!

A.