mchttpd Question
Rich Mooney
tech at paynesparkman.com
Wed Jul 3 14:13:00 EDT 2002
Here is an old thread which I saved and which may answer some of your
questions. I haven't tried to use this information myself yet.
Re: Installing MC at your ISP, a "How-To"
From: slord
Subject: Re: Installing MC at your ISP, a "How-To"
Date: Wed, 13 Jun 2001 10:40:36 -0700
Just a little warning to all the newbies and some experienced users
out there. mchttpd is great but it does not *yet* have a wrapper for it.
What does that mean? Well, what it means is
that if a real malicious MetaCard user wanted to they could write a
script to use mchttpd to help them spew out spam or worse - delete anything
on the server or take control of the
server.
I'm not trying to throw anyone into a panic here, but if you go
install this *willy nilly* on your provider's server then you *are*
installing a back door to that server. We own and
operate our own server so we are willing to take the chance that no
one here is that malicious. Since we know MetaCard, we scan for trouble,
your provider likely knows nothing
about MC's existence. But if there is a malicious user out there,
and they take out your provider's server - you may be in for a nasty
lawsuit.
If it's *not* your own server, wait until mchttpd has a proper
wrapper before installing it yourself.
Ok, so what *is* a CGI wrapper? Well, here is a definition for
CGIWrap:
CGIWrap is a gateway program that allows general users to use
CGI scripts and HTML forms without compromising the security of the http
server. Scripts are run with
the permissions of the user who owns the script. In addition,
several security checks are performed on the script, which will not be
executed if any checks fail.
CGIWrap is used via a URL in an HTML document. As distributed,
cgiwrap is configured to run user scripts which are located in the
~/public_html/cgi-bin/ directory.
As I said, mchttpd has no such *wrapper*, which means there are no
measures in place to prevent someone from running scripts that will
adversely affect the server it's on. Right now,
it can be run from anywhere (as you can see on our server!). And if
you launched it as a user with admin privileges, cross your fingers.
For more information go here: http://cgiwrap.unixtools.org/
Play safe, we consider mchttpd experimental until it's *wrapped*.
On Wednesday, June 13, 2001, at 12:40 PM, Sadhunathan Nadesan
wrote:
CONTEXT:
On UNIX, Metacard can be used as both a GUI development
environment as
well as a CGI scripting language. If you running your own UNIX
machine,
it's fairly trivial to set it up for either use, using the
supplied
install script and the instructions.
If you are not using your own machine, but are hosted
elsewhere, such
as on an ISP over the Internet, its likely not appropriate to
attempt
X-Windows development, however, CGI scripting is very
feasible. If you
have access to a shell account with reasonable permissions
(telnet or
ssh), again, its a snap to install, or if not, and your ISP is
willing
to install it, they should have no trouble. They can just
download the
necessary files and run install.sh.
PROBLEM:
What if you have no shell account access, and your ISP says
something like
'gosh, give us a few months to evaluate this, it is a possible
security
risk, and by the way, its going to COST you..'. Are you out of
luck?
Maybe not. If they allow you to install and run your own CGI
programs
using FTP, then, you can still use MC as a CGI scripting
language and
get it up and running without their help. You might need a bit
of help
from your friends though, depending on how much UNIX
experience you
have. The following describes how I got it working on our ISP.
SOLUTION:
The key fact is that, to use MC on your ISP's host, you only
need one
file: mc. The file "mc" is the Metacard engine, or
interpreter.
Writing an MC script is similar to writing a Borne shell or
Perl script,
where the first line indicates the location of the
interpreter.
Therefore, all you have to do is get the right interpreter for
your ISP's
host, put it in the right place, and correctly refer to this
place in
your metatalk scripts, and bingo, you are using MC on your web
pages.
As indicated on the www.metacard.com site, use of MetaCard as
a
script-only (non-graphical) language is FREE on all UNIX
systems: no
license is required. This in turn means that it is supplied as
a binary
file, not as source code. So, you don't have to compile it.
All you
have to do is get the right version, it is supplied
pre-compiled. You
may need a bit of help to determine this.
In our case, our ISP was running Sun OS, and this operating
system
only runs on Sparc processors, so the file we needed to
download was
sparc.tar. This is an archive made using the ubiquitous Unix
tar program,
and here again, you may need some help from your friends to
unpack it. In
our case, I just ftp'd it to my Linux computer and ran the
command
tar xf sparc.tar
This gave me several files, namely, mc.gz, xanim.gz, and
gunzip. The
gunzip was useless on my Linux (Intel) machine being compiled
for Sparc,
but in any case, the only file needed is the mc.gz file. This
in turn
is another compressed archive made with the GNU gzip program.
So again,
depending on your ability to uncompress standard Unix
archives, you may
need some help or have to acquire some tools. I simply ran the
command
gunzip mc.gz
which produced the file I needed, mc.
On the other hand, perhaps Kevin or Scott or some kind soul
will put the
uncompressed, ready to run versions of MC for all processors
on their
ftp site so that all the decompressing steps would be
unnecessary.
Next, ftp the mc file to the place your cgi scripts can run
from,
typically public_html/cgi-bin. Set the correct permissions to
make it
executable. For example, on our ISP it has to be chmod 700 or
chmod 755.
(chmod 777 is a security violation and programs with these
permissions
will not run on our site). You next have to determine what is
the actual
location, that is, the absolute path name, of your mc engine.
In our case, our ISP supports SSI (server side includes) so
the
pathname was determined by building a test html page using pwd
(print working directory) as an ssi command. More details on
this
below. In our case, the full path name turned out to be
something like
/export/vhost/org/g/ourhostname/www/public_html/cgi-bin and
therefore,
the first line of our mc scripts has to be:
#!/export/vhost/org/g/ourhostname/www/public_html/cgi-bin/mc
To summarize, get the right mc file, put it in the right place
on your
ISP, and set executable permissions. That is all there is to
it!! Then,
you can write any MC scripts using the right first line to
point to the
mc file, again, making them executable.
Regards,
Sadhunathan Nadesan
CIO, Cast & Crew
PS, Some helpful files:
This simple script can be installed as a cgi on your host to
help
find the correct pathname. For example, you could call it
pwd.cgi.
.................cut here....................
#!/bin/sh
# write minimal set of HTTP headers to stdout
echo "Content-Type: text/plain"
echo ""
pwd
.................cut here....................
If your ISP supports SSI, then you can use a web page like
this to find
out the real path name of pwd.cgi. There are other ways, such
as perhaps
a POST command from an MC stack. Here's the page I used:
...................... cut here ..................
<HTML>
<HEAD>
<TITLE>Sadhunathan Nadesan's Echo Test Page</TITLE>
</HEAD>
<!-- Background white, links blue (unvisited), navy (visited),
red (active) -->
<BODY
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#000080"
ALINK="#FF0000"
<H1 ALIGN="CENTER">Sadhunathan's SSI Testing Page</H1>
<p>
<!--#echo var="DATE_LOCAL" -->
<p>
<!--#exec cgi="/cgi-bin/pwd.cgi"-->
<p>
Sadhu set this up to test SSI.
<P ALIGN="CENTER">
<a href="http://www.apache.org/"><IMG
SRC="/icons/apache_pb.gif"
ALT="[ Powered by Apache ]"></a>
</P>
<p>
<!--#echo var="SERVER_SOFTWARE" -->
<p>
<!--#echo var="SERVER_NAME" -->
<p>
</BODY>
</HTML>
.......................cut here............................
If this works, it will return the full path name you need. You
can then
test to see if MC is working by replacing the cgi line in the
above html
page with
<!--#exec cgi="/cgi-bin/echo.cgi"-->
and then test, together with installing a modified version of
the echo.mt
script from the Metacard site. We renamed ours as echo.cgi
(because our
ISP only supports certain extensions as cgi scripts, such as
.sh, .pl,
or .cgi) and we modified the first line of the script to point
to the
mc interpreter, as follows:
......................... cut here ........................
#!/export/vhost/org/g/ourhost/www/public_html/cgi-bin/mc
# This MetaTalk script loops over all the environment
variables
# set by the server when it runs a CGI application printing
out
# its name and value.
on startup
# loop over all of the global variables, getting name and
value
repeat for each item i in the globals
put i && "=" && value(i) & return after buffer
end repeat
# write minimal set of HTTP headers to stdout
read from stdin until empty
put it after buffer
put "Content-Type: text/plain" & cr
put "Content-Length:" && the length of buffer & cr & cr
put buffer
end startup
......................... cut here .....................
Note that our real hostname has been replaced with "ourhost"
and that
this is just an example, you will have to determine the
correct path
on your ISP. And again, this method of testing works only if
your ISP
supports SSI, but any method of calling a cgi script will
work. If the
HTML page shown produces a whole list of environment
variables, then,
MC is working on your host.
Archives:
http://www.mail-archive.com/metacard@lists.runrev.com/
Info: http://www.xworlds.com/metacard/mailinglist.htm
Please send bug reports to <bugs at metacard.com>, not this list.
Follow-Ups:
Re: Installing MC at your ISP, a "How-To"
From: jbv
References:
Installing MC at your ISP, a "How-To"
From: Sadhunathan Nadesan
Rich Mooney
Payne Sparkman Mfg.
shop at paynesparkman.com
----- Original Message -----
From: "Scott Rossi" <scott at tactilemedia.com>
To: "Metacard List" <metacard at lists.runrev.com>
Cc: <pbower at soundmedicine.com>
Sent: Monday, July 01, 2002 10:45 PM
Subject: mchttpd Question
> The question below was sent by Peter J Bower who seems to be having
trouble
> getting his posts to appear on the list. Perhaps some kind folks here can
> respond.
>
> Regards,
>
> Scott Rossi
> Creative Director
>
> Tactile Media, Multimedia & Design
> Email: scott at tactilemedia.com
> Web: www.tactilemedia.com
>
> ------
>
> I just downloaded the metacard mchttpd from ftp.metacard.com
> <ftp://ftp.metacard.com>
> to run on my home network and act as a server.
>
> I have a pc running windows 2000.
>
> In the cgi-bin folder there is a little note that says " Link_MC_here".
>
> Well, I'm not sure what this means. I have installed a copy of the mc
> program in that folder and I can not get it to recognize any *.mt or *.cgi
> programming. What does the "Link MC Here" mean?
>
> another question: In this situation on a pc what would the first line in
> the cgi script look like to
> find the mc engine?
>
> The actual location of my MC program is C:\Program Files\Metacard\Program\
>
> What's a fella to do?
>
> -----
>
> _______________________________________________
> metacard mailing list
> metacard at lists.runrev.com
> http://lists.runrev.com/mailman/listinfo/metacard
More information about the metacard
mailing list