[gopher] Another batch of Motsognir questions

Kim Holviala kim at holviala.com
Mon Jan 4 16:45:50 UTC 2016 

Yep, things work slightly differently with Gophernicus. It doesn't use the .cgi extension but needs a /cgi-bin/ directory for scripts - the exception being that you can run scripts from inside gophermaps anywhere you want. And I did consider the symlink security thing back when I was coding that part of Gophernicus and decided against any checking because as long as you keep your directory access rights correct there's no security problem.

Security is always a compromise vs conveniency (is that a word? :D), and we just chose different paths


- Kim


> On 04 Jan 2016, at 16:20, Martin Kukac <logout128 at gmail.com> wrote:
> 
> Hello Mateusz,
> 
> thanks for the quick response.
> 
> 1. Even though I'm from Mac back on PC for most of the time, I still forget about extensions :-) Scripts had the correct permissions, correct shebang and when I tried to run them from bash, they worked. Gophernicus apparently didn't care about extensions and just used whatever output executable file returned. After renaming to *.cgi everything works, so for me it's solved.
> 
> 2. For me both variants are OK, the list of "gopher-served directories" sounds more secure though, so I would go with that.
> 
> Martin
> 
> 
> 
> On 01/04/2016 01:29 PM, Mateusz Viste wrote:
>> Hi Martin,
>> 
>> 1. The extension of the file matters. Try renaming your *.sh to *.cgi -
>> does it work then? Do not forget to have the file marked as executable
>> (chmod +x) and declare a correct shebang inside it (#!/bin/sh)
>> How would you see it done another way? I'd be willing to adapt this if
>> there's a way that would be significantly more user friendly.
>> 
>> 2. Indeed motsognir doesn't allow to access anything that is not inside
>> the gopher root, because... well, just because :) if something is not
>> inside the gopher root, then it's not supposed to be offered by gopher.
>> 
>> If you think it would be useful, I can add a feature that would disable
>> symlink resolution while performing evasion detection checks. OR - maybe
>> better - allow to declare a list of "gopher-served directories", where
>> you could declare all non-gopher-root directories that are likely to be
>> served via symlinks - what do you think?
>> 
>> Mateusz
>> 
>> 
>> 
>> On 04/01/2016 12:55, Martin Kukac wrote:
>>> Hello and happy new year to all!
>>> 
>>> I have some further questions about how (and why) Motsognir works. Even
>>> though I could send it directly to Mateusz, I'm asking here, because it
>>> may help others in the future. I hope y'all don't mind.
>>> 
>>> 1. external scripts
>>> 
>>> On my gopher server I have bash, perl and PHP scripts and the do not
>>> behave the same way. I include all of them in the gophermap using "=",
>>> all of them have 755 permissions, but only PHP seems to work.
>>> 
>>> To test it I placed this in the gophermap:
>>> 
>>> =test.pl
>>> =test.sh
>>> =test.php
>>> 
>>> All files had just a single line of code, printing "iTest.PL",
>>> "iTest.SH" and "iTest.PHP". The resulting gophermap returned to client
>>> only the output contained only PHP output, in /var/log/messages I found
>>> 
>>> Jan  4 12:34:47 i-logout journal: motsognir [46.13.138.74][11235]:
>>> running server-side app '/var/gopher/test.php'
>>> 
>>> Nothing else. What am I missing? I can rewrite all scripts to PHP if I
>>> have to, but isn't there another way?
>>> 
>>> 
>>> 2. directories outside GopherRoot
>>> 
>>> When using Gophernicus, I had some directories all over the filesystem
>>> symlinked to GopherRoot and listed through gopher. Motsognir seems to
>>> prevent this because it thinks it is evasion attempt:
>>> 
>>> Jan  4 12:50:44 i-logout journal: motsognir [46.13.138.74][11396]:
>>> Requested resource: /software/ / Local resource: /var/gopher/software/
>>> Jan  4 12:50:44 i-logout journal: motsognir [46.13.138.74][11396]:
>>> Evasion check: path '/var/gopher/software/' (/var/ftp/pub/) do not seem
>>> to belong to '/var/gopher/'
>>> Jan  4 12:50:44 i-logout journal: motsognir [46.13.138.74][11396]:
>>> Evasion attempt. Forbidden!
>>> 
>>> Is this necessary? I can't imagine how there could be symlinked folder
>>> without my knowledge, so this could be probably allowed.
>>> 
>>> Thanks for the help.
>>> 
>>> Martin
> 
> 
> 
> _______________________________________________
> Gopher-Project mailing list
> Gopher-Project at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/gopher-project
>

More information about the Gopher-Project mailing list