0

I'm using Ubuntu 16.04 server, Python 2.7.12, and Apache 2.4.18 in a DigitalOcean Droplet.

I uploaded an index.py to web root. The contents of the script are as follow:

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Turn on debug mode.
import cgitb
import platform
cgitb.enable()

# Print necessary headers.
print "Content-Type: text/html\n"
print "<html><body>Python Version: %s</body></html>" % (platform.python_version())

If I set the index.py to 644 (without execution rights), the script will return 500 Internal Server Error. The log said:

[Fri Dec 28 04:05:18.035946 2018] [cgi:error] [pid 29045] [client 202.75.86.173:54912] End of script output before headers: index.py

From the another answer, it is suggested that I should add permission rights via chmod +x index.py:

-rwxr-xr-x 1 root www-data  254 Dec 28 04:05 index.py

After adding execution rights, the Python script can be run without problem.

  1. Am I doing this right?
  2. Will this lead to security problem?

Here is the Apache site config:

<VirtualHost *:80>
    ServerName abc.example.com
    DocumentRoot /var/www/vhosts/abc.example.com

    <Directory /var/www/vhosts/abc.example.com/>
        Options -Indexes
        Options +ExecCGI
        DirectoryIndex index.py
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
    AddHandler cgi-script .py

    ErrorLog ${APACHE_LOG_DIR}/abc-apache2.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access-logfile.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =abc.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

UPDATE:

This question is not about the error I encountered, as I mentioned in the question, I already get my script working. I just worry about the security. In short, not a duplicate.

Raptor
  • 53,206
  • 45
  • 230
  • 366
  • Possible duplicate of [Apache CGI in user directory "End of script output before headers"](https://stackoverflow.com/questions/28265735/apache-cgi-in-user-directory-end-of-script-output-before-headers) – digijay Dec 28 '18 at 09:23
  • @digijay in that question, it does not mention about execution rights. Also, it's about CGI, not Python, though both use the same CGI mechanism. – Raptor Dec 28 '18 at 09:37
  • 1
    thanks for pointing it out, I've retracted the flag. – digijay Dec 28 '18 at 17:45

1 Answers1

1

1. Yes you're doing it right.

You said to Apache to execute .py files as cgi-script. It means apache will "execute" you index.py file if it is authorized to. Then you must give apache right to execute your python file.

In your index.py file there is a shebang that indicates to apache which interpreter to use to execute this file.

2. In your case you can set a good security like this :

chown www-data:www-data index.py
chmod 550 index.py

Then root and only root is able to modify or delete the file. And only apache user and apache group is able to read or execute the script (supposing your apache user/group is www-data).

Nico
  • 3,430
  • 4
  • 20
  • 27