DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th December 2013
vdubjunkie vdubjunkie is offline
Port Guard
 
Join Date: Feb 2009
Posts: 17
Thanked 0 Times in 0 Posts
Default Web accessible PERL scripts requiring TTY

I'm developing a suite of utilities which hinge upon the ability to create SSH tunnels that will ultimately be available to end users on our intranet. I've reached the point of making the data available to the apache server on which the scripts are being developed.

The script which works until I try to have the web server run it as a CGI. At this point I get the following error.

Code:
IO::Tty::open_slave(nonfatal): open(/dev/ttyp6): Permission denied at /usr/local/libdata/perl5/site_perl/i386-openbsd/IO
/Pty.pm line 24.
Clearly the www user doesn't have rights to open TTY. I'm all about security, and I wouldn't even consider hacking away at this sort of precaution if this weren't a server which will only be accessible by another server using it to obtain the data to embed in it's own pages.

Does anybody know whether there is just a way around the www user being unable to open a TTY or whether I would actually need to run apache as another user? If so, how do I do that?
__________________
anything done in the GUI is done more efficiently in cli
Reply With Quote
  #2   (View Single Post)  
Old 20th December 2013
vdubjunkie vdubjunkie is offline
Port Guard
 
Join Date: Feb 2009
Posts: 17
Thanked 0 Times in 0 Posts
Default abridged

In case I used too many words, I'm looking to either give the www user the ability to open TTYs or change which user runs the apache daemon. I understand the risks, and have sufficient precautions planned.

Can anybody help advise how to make one of these solutions happen?
__________________
anything done in the GUI is done more efficiently in cli
Reply With Quote
  #3   (View Single Post)  
Old 21st December 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

Probably it is of no use in your case, but there is an option called -o RequestTTY.
I am not sure if the ssh -t option could solve your issue
Code:
     -t      Force pseudo-tty allocation.  This can be used to execute
             arbitrary screen-based programs on a remote machine, which can be
             very useful, e.g. when implementing menu services.  Multiple -t
             options force tty allocation, even if ssh has no local tty.
Or maybe in combination with some dangerous sudo magic

A similar issue can be found at http://stackoverflow.com/questions/6...-expect-object
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 27th December 2013
vdubjunkie vdubjunkie is offline
Port Guard
 
Join Date: Feb 2009
Posts: 17
Thanked 0 Times in 0 Posts
Default

J65nko,

Thanks for the reply. I did see that post. It is the most promising thing I've found thus far. However, they are talking about selinux. I don't know if/how this would translate.

At this point I'm thinking my best bet may be trying to contact the right OBSD programmer to find out if/how I can adjust the www user or apache daemon to use another user.
__________________
anything done in the GUI is done more efficiently in cli
Reply With Quote
  #5   (View Single Post)  
Old 27th December 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

If you read openpty(3) you will find that it needs /dev/pt* files. If you run the native OpenBSD Apache webserver chrooted it does not have a /dev/ hierarchy in its chroot location /var/www.

Maybe you could create a minimal demo script and post it to the OpenBSD misc mailing list and ask for advice.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 9th February 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

On the mailing list you were advised to use a daemon and to communicate with it using a socket.

In Perl this is not so difficult to do, the "Programming Perl" and the "Perl Cookbook" books have examples to write such daemons.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't load any scripts in ircII guitarscn General software and network 4 22nd November 2010 12:06 AM
ppp scripts help wokko NetBSD Installation and Upgrading 10 18th May 2010 05:29 AM
Executing web scripts : can't! erehwon OpenBSD General 3 3rd November 2009 10:02 PM
Windows scripts can't print drhowarddrfine Other OS 15 31st March 2009 08:53 AM
Periodic scripts for mail scripts stukov FreeBSD General 2 8th March 2009 07:51 PM


All times are GMT. The time now is 05:00 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick