[gopher] Another batch of Motsognir questions

Mateusz Viste mateusz at viste.fr
Tue Jan 5 19:09:47 UTC 2016


Hi Martin,

A short update about Motsognir's status:

1. a minute ago I commited a patch to Motsognir's svn that will make it 
execute CGI sub-gophermaps regardless of their extension, so there's no 
requirement to name them as *.cgi any more (unless you want to call them 
outside of gophermaps, too). I think it's more user-friendly this way, 
since the administrator already said "execute this" by using the "=" 
gophermap operator, so there's no point in looking for a *.cgi extension 
on top of that.

2. I think, too, that declaring a list of "allowed non-root gopher 
directories" is the more secure way to go. It's a somewhat complex 
change that I need to triple-test very carefully before making it 
public, so I will probably work on it no sooner than next weekend.

cheers,
Mateusz



On 04/01/2016 15:20, Martin Kukac wrote:
> Hello Mateusz,
>
> thanks for the quick response.
>
> 1. Even though I'm from Mac back on PC for most of the time, I still
> forget about extensions :-) Scripts had the correct permissions, correct
> shebang and when I tried to run them from bash, they worked. Gophernicus
> apparently didn't care about extensions and just used whatever output
> executable file returned. After renaming to *.cgi everything works, so
> for me it's solved.
>
> 2. For me both variants are OK, the list of "gopher-served directories"
> sounds more secure though, so I would go with that.
>
> Martin
>
>
>
> On 01/04/2016 01:29 PM, Mateusz Viste wrote:
>> Hi Martin,
>>
>> 1. The extension of the file matters. Try renaming your *.sh to *.cgi -
>> does it work then? Do not forget to have the file marked as executable
>> (chmod +x) and declare a correct shebang inside it (#!/bin/sh)
>> How would you see it done another way? I'd be willing to adapt this if
>> there's a way that would be significantly more user friendly.
>>
>> 2. Indeed motsognir doesn't allow to access anything that is not inside
>> the gopher root, because... well, just because :) if something is not
>> inside the gopher root, then it's not supposed to be offered by gopher.
>>
>> If you think it would be useful, I can add a feature that would disable
>> symlink resolution while performing evasion detection checks. OR - maybe
>> better - allow to declare a list of "gopher-served directories", where
>> you could declare all non-gopher-root directories that are likely to be
>> served via symlinks - what do you think?
>>
>> Mateusz
>>
>>
>>
>> On 04/01/2016 12:55, Martin Kukac wrote:
>>> Hello and happy new year to all!
>>>
>>> I have some further questions about how (and why) Motsognir works. Even
>>> though I could send it directly to Mateusz, I'm asking here, because it
>>> may help others in the future. I hope y'all don't mind.
>>>
>>> 1. external scripts
>>>
>>> On my gopher server I have bash, perl and PHP scripts and the do not
>>> behave the same way. I include all of them in the gophermap using "=",
>>> all of them have 755 permissions, but only PHP seems to work.
>>>
>>> To test it I placed this in the gophermap:
>>>
>>> =test.pl
>>> =test.sh
>>> =test.php
>>>
>>> All files had just a single line of code, printing "iTest.PL",
>>> "iTest.SH" and "iTest.PHP". The resulting gophermap returned to client
>>> only the output contained only PHP output, in /var/log/messages I found
>>>
>>> Jan  4 12:34:47 i-logout journal: motsognir [46.13.138.74][11235]:
>>> running server-side app '/var/gopher/test.php'
>>>
>>> Nothing else. What am I missing? I can rewrite all scripts to PHP if I
>>> have to, but isn't there another way?
>>>
>>>
>>> 2. directories outside GopherRoot
>>>
>>> When using Gophernicus, I had some directories all over the filesystem
>>> symlinked to GopherRoot and listed through gopher. Motsognir seems to
>>> prevent this because it thinks it is evasion attempt:
>>>
>>> Jan  4 12:50:44 i-logout journal: motsognir [46.13.138.74][11396]:
>>> Requested resource: /software/ / Local resource: /var/gopher/software/
>>> Jan  4 12:50:44 i-logout journal: motsognir [46.13.138.74][11396]:
>>> Evasion check: path '/var/gopher/software/' (/var/ftp/pub/) do not seem
>>> to belong to '/var/gopher/'
>>> Jan  4 12:50:44 i-logout journal: motsognir [46.13.138.74][11396]:
>>> Evasion attempt. Forbidden!
>>>
>>> Is this necessary? I can't imagine how there could be symlinked folder
>>> without my knowledge, so this could be probably allowed.
>>>
>>> Thanks for the help.
>>>
>>> Martin





More information about the Gopher-Project mailing list