TDC597 Linuxbased Network Management Lecture Four CGI

1
TDC597Linux-based Network ManagementLecture
Four - CGI

• James T. Yu, Ph.D.
• jyu_at_cs.depaul.edu
• School of CTI
• DePaul University

2
Web Application
Web Server
Client (Web Browser)
Internet
HTTP Request
Static HTML Files
HTTP Response
ltHTMLgt ltBODYgt ltH1gtHello World!lt/H1gt lt/BODYgt lt/HTML
gt
Hello World!
3
CGI Application(Common Gateway Interface)
Database
Web Server
Client (Web Browser)
query
data
CGI Applications
Internet
CGI Call
dynamic HTML Files
HTTP Request
CGI Response
HTTP Response
4
CGI Environment
web configuration data ltwebhomegt/conf/httpd.conf
Web Server
cgi-bin directory ltwebhomegt/cgi-bin/first.pl
Client Web Browser
web site directory /home/ltusergt/public_html/exampl
e.html
5
CGI-BIN Location (default)
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/
"
httpd.conf
URL http//140.192.40.48008/cgi-bin/demo/printen
v Script Location /usr/local/apache2/cgi-bin/dem
o/printenv
6
CGI-BIN Location (2)
ltDirectory /home//public_htmlgt Options
ExecCGI AddHandler cgi-script
.cgi lt/Directorygt
httpd.conf
7
CGI-BIN Location (3)
for the TDC597 Class ltDirectory
/home/tdc597/student//public_htmlgt
Options ExecCGI AddHandler cgi-script
.cgi lt/Directorygt
Any files with suffix .cgi is an executable
script.
8
What are UID and GID of the Web?
ltIfModule !mpm_winnt.cgt ltIfModule
!mpm_netware.cgt If you wish httpd to run as a
different user or group, you must run httpd as
root initially and it will switch. User
nobody Group nobody Group -1 lt/IfModulegt lt/IfMo
dulegt
httpd.conf
nobodyx9999Nobody//sbin/nologin
/etc/passwd
9
Protection of CGI Scripts

• Script Owner
• Owner readable, writable, and executable
• Script Group nobody
• Group readable and executable
• Other
• No access permission (chmod o-rx)
• Note you must protect your scripts from being
  read by others
• See examples in jyu/public_html/hw04

10
Protection of CGI Scripts (cont.)
login to your Linux account cd
public_html mkdir hw04 chmod o-rx hw04 no
access permission for others supercmd chgrp
nobody hw04 chmod grx hw04 enable access
permission for group (nobody) all files in hw04
should have the same access permission as hw04
11
supercmd

• A private tool (developed by James Yu)
• User ID vs. Effective User ID
• Each command has an owner, and the owner of
  supercmd is root (uid0)
• Enable the S-bit of supercmd
• sudo chmod s supercmd
• When a user executes this command, the effective
  User ID is root. In other words, the user is
  given temporary root privilege when executing
  this command.
• Example supercmd chgrp nobody ltfilenamegt

12
Perl and CGI-BIN

• 90 of the active content on the Web is generated
  via Perl in some manner.
• Ref (Perl, Web Review, http//www.webreview.co
  m/pub/freeware/perl.html)

13
CGI-BIN Environment Variables

• ENV the hash array of environment variables
• ENVSERVER_SOFTWARE
• ENVSERVER_NAME
• ENVSERVER_PROTOCOL
• ENVSERVER_PORT
• ENVQUERY_STRING
• Query information of URL (the data following ?)
• ENVREMOTE_ADDR

14
Example Show the content of ENV
15
CGI and Forms

• Design an HTML form
• User enters the data via the HTML form
• The CGI script collects the data and saves the
  data to a file
• Example
• Distance learning students are given the option
  to receive their exam paper by submitting a fax
  number
• Students need to submit a fax number for each
  class, even if the fax number is the same.

16
Application Design
/home/jyu/phublic_html/tdc
CGI-BIN Script
HTML Form Design
User Entered Data
SubmitFax.cgi
FaxNumber
index.html
Group nobody Permission rw- rw- ---
17
HTML Form
18
CGIScript
19
CGI Script Read Data
read(STDIN, buffer, ENV'CONTENT_LENGTH')
The form data is from ltSTDINgt and it is a scalar
string of characters. It is now saved into a
variable buffer.
20
Create a Hash Array of Data
_at_pairs split(//, buffer) foreach pair
(_at_pairs) (name, value) split(//,
pair) FORMname value

• The delimiter of the string to separate user
  variables is .
• name1value1name2value2
• The Hash array is FORM.

21
A problem with data
blank 40 _at_ 3A !
22
Solution
value tr// / value s/(a-fA-F0-9a-fA-
F0-9)/pack("C", hex(1))/eg
23
Set the data into Variables
name FORM'name' id
FORM'id' fax FORM'fax' email
FORM'email' course FORM'course'
24
Show the Data for Confirmation
print "Content-type text/html\n\n" print "Your
Name name ltbrgt \n" print "Your Student ID id
ltbrgt \n" print "Your Fax fax ltbrgt \n" print
"Your E-Mail email ltbrgt \n" print "Course ID
course \n" print "ltHRgt" print "lta
refhttp//140.192.40.48008/jyu/tdc/index.htmlgtR
eturnlt/agt"
25
write the data to a file
open(FILEWRITE, "gtgt /home/jyu/public_html/tdc/FaxN
umber") print FILEWRITE "nameidfaxemailc
ourse\n" close FILEWRITE
gtgt attach the data to the end of the file
26
Create a Time Stamp
(sec, min, hour, mday, mon, year, wday,
yday, isdst) localtime(time) mon year
year 1900 ----------------------------------
---- open(FILEWRITE, "gtgt /home/jyu/public_html/tdc
/FaxNumber") print FILEWRITE "nameidfaxema
ilcourseyear-mon-mday\n" close FILEWRITE
27
File Permission
The file must be writable by nobody.
28
Display Data on the Web (1)
open(DATAFILE, "lt /home/jyu/public_html/tdc/FaxNu
mber") while( linebuf ltDATAFILEgt )
chomp(linebuf) remove ltCRgt char
my _at_arr split(//, linebuf) id
arr1 if( length(id) lt 5 )
print "Invalid Student ID id gt
linebuf\n" next
hashTable id "arr0arr2arr3a
rr4arr5" close DATAFILE
29
Display Data (2)
foreach x (sort (keys hashTable) )
my _at_yy split(//, hashTablex)
print "ltTRgt\n" print "ltTDgtyy0lt/TDgt"
print "ltTDgtxlt/TDgt" print
"ltTDgtyy1lt/TDgt" print
"ltTDgtyy2lt/TDgt" print
"ltTDgtyy3lt/TDgt" print
"ltTDgtyy4lt/TDgt" print
"lt/TRgt\n" print "lt/TABLEgt\n" print
"lt/BODYgt" print "lt/HTMLgt"
print "Content-type text/html\n\n" print
"ltHTMLgt" print "ltBODYgt" print "ltH1
aligncentergtSubmitted Student Fax
Numberlt/H1gt" print "ltTable aligncenter
border2gt\n" print "ltTHgtNamelt/THgt" print
"ltTHgtStudent IDlt/THgt" print "ltTHgtFax
Numberlt/THgt" print "ltTHgtE-Maillt/THgt" print
"ltTHgtCourselt/THgt" print "ltTHgtTimestamplt/THgt\n"
30
Sample Output
31
Confidentiality

• It is a security issue to show the student ID and
  student name on the public Internet.
• Requirements only authenticated users can see
  this information.

32
User Authentication
33
Implementation of User Authentication (1)
httpd.conf
AccessFileName The name of the file to look
for in each directory for additional
configuration directives. See also the
AllowOverride directive. AccessFileName
.htaccess
34
Implementation (2)
Create a user Account with a password. command
htpasswd
35
TDC597 Only

• I created a file pw_tdc597 in the passwd
  directory.
• If you plan to implement user authentication, you
  may add an entry in this password file.
• supercmd htpasswd pw_tdc597 tdc597sXX
• where tdc597sXX is your Linux account

36
Implementation (3)
Create a .htaccess file in the web directory The
.htaccess file must be readable by nobody.
37
Hw04 System Occupancy Analysis

• Hw04 is to design a web to analyze the system
  occupancy (system utilization)
• The raw data is stored at /home/tdc597/cron/top-m
  mdd where mmdd is the data collected for a
  given day
• The command-line version of the Perl program for
  data analysis is available /home/jyu/tdc597/hw04/
  hw04script.pl
• Your assignment is to modify the program and make
  it work in the CGI environment.

38
Top display Linux Tasks
39
Hw04 web site
UserRegistration
DataAnalysis
40
Hw04 Directory Structure
41
Program Development

• register.cgi
• Follow the example of http//140.192.40.48008/jy
  u/tdc
• The Perl code is located at /home/jyu/public_ht
  ml/tdc/SubmitFax.cgi
• hw04script.cgi
• Use the code hw04script.pl as the base
• Modify the segment of input parameters
• Check for registered users only
• Modify the segment of output (print HTML code)

42
Sample Output
43
Notes on Text Files for Data Storage

• Data operation insertion (add), deletion, and
  modification, read/print
• Text files are appropriate to collect on-line
  data if users do not have the permission to
  modify or delete the data.
• Administrators do not need to use the web
  interface to add, modify, or delete data.
• If users are given permission to modify or delete
  data over the web interface, text files are not
  appropriate.
• A relational database (such as mysql) is needed
  for more advanced data operations and analysis.