Developing Features for the Web Management

From Linux Schools Project Documentation

Contents 1 Introduction 2 Requirements 3 Section 1 - cgi scripting 3.1 Assignment 1 - The Basics 3.2 Assignment 2 - Using Variables 3.3 Assignment 3 - Creating a form 3.4 Assignment 4 - Getting the information 3.5 Assignment 5 - Extending the form 3.6 Assignment 6 - Checking the data 3.7 Assignment 7 - Special Characters 4 Section 2 - Web Management Information 4.1 Web Management Paths - installation areas 4.1.1 CGI Scripts 4.1.2 Language 4.1.3 Sudo scripts 4.1.4 Install Script 4.2 Web Management Paths - installed areas 4.2.1 CGI Scripts 4.2.2 Language 4.2.3 Sudo scripts 4.3 Web Management Data flow 4.4 Web Management Security 4.4.1 Apache 4.4.2 Starting and stopping apache service for the web management 4.4.3 Passwords 4.4.4 MD5sums

Introduction

This tutorial is designed to help developers who want to add extra features to the web management suite. Some prior knowledge of bash scripting and html would be very useful. The practical tasks shown start from the basics so please skip any that you already comfortable with. Please also do not be offended if some of the points raised seem blatantly obvious!

Requirements

For the early exercises you will need a working apache web server. Later assignments will need an installed TLSP test server. The easiest option is to install a TLSP server setup as a virtual server for testing purposes.

Section 1 - cgi scripting

Assignment 1 - The Basics

The web management pages are generated using bash cgi scripts to generate html pages.

#!/bin/bash
############################ 
#Show page 
############################ 
echo "Content-type: text/html" 
echo "" 
echo ' 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title>Assignment 1</title></head> 
<body>
Hello World
</body></html>
'

Copy the example above to the cgi-bin folder on your webserver and set the permissions of your script to executable.

Cgi-bin paths

/var/www/cgi-bin
/var/www/cgi-bin_karoshi

Now test the page in a web browser

http://127.0.0.1/cgi-bin/filename

https://127.0.0.1:50001/cgi-bin/filename

Questions

Why do we need to add in comments?

Why is all of the html code encloses in ' ' quotes?

Assignment 2 - Using Variables

The above example in assignment 1 could just as well been a static html file rather than a cgi script.

In this assignment we are going to have a separate language file that can be used to store variables in .

#!/bin/bash
############################ 
#Language
############################ 
source /opt/karoshi/web_controls/language/assignment2
############################ 
#Show page 
############################ 
echo "Content-type: text/html" 
echo "" 
echo ' 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title>'$TITLE'</title></head> 
<body>
$OPENINGMSG
</body></html>
'

As before copy the example above to the cgi-bin folder on your webserver and set the permissions of your script to executable.

Create a text file at /opt/karoshi/web_controls/language/assignment2 or some other suitable path that is readable by the apache user and add the following:

TITLE=”Add you title here”
OPENINGMSG=”Add your opening message here”

Now test your cgi script in your web browser.

Questions

Why does $TITLE need ' ' quotes around it?

Why does the text in the language file have “ ” quotes around it?

Comments

Lots of coders use very short variable names for efficiency. As a personal choice I much prefer longer variable names since it makes it much easier to read the script afterwards.

Assignment 3 - Creating a form

Now we want to start getting the scripts to get information.

This html code will add a box to your page that will allow the user to type in data.

<form action="/cgi-bin/filename.cgi" method="post"> Name 
<input tabindex= "1" style="width: 200px;" name="_MYNAME_"
<input value="'$SUBMITMSG'" type="submit">
</form>

Create a cgi script that includes the html code above that asks the user for their name.

Questions

Why are we using “post” rather than “get” to send the information to the server?

Assignment 4 - Getting the information

This assumes that you have got a working cgi script from assignment 3.

You will also need to ensure that <form action="/cgi-bin/filename.cgi" in assigment 3 points to the file you are creating now.

Create a cgi script and copy the code below into it.

#!/bin/bash
############################ 
#Language
############################ 
source /opt/karoshi/web_controls/language/assignment4
########################## 
#Show page 
########################## 
echo "Content-type: text/html" 
echo "" 
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title>'$TITLE'</title></head><body>' 
######################### 
#Get data input 
######################### 
TCPIP_ADDR=$REMOTE_ADDR 
DATA=`cat | tr -cd 'A-Za-z0-9\._:\-'`

The script is not finished yet but the important line here is DATA=`cat | tr -cd 'A-Za-z0-9\._:\-'` At this point we have all of the data sent from your html form assigned to a variable called DATA.

Questions

What is the tr -cd command doing and is it important?

Now we need to get the information sorted from the DATA variable. In this example we are only sending one piece of information but usually there will be more than this.

Copy in the chunk of code below to your cgi script:

######################### 
#Assign data to variables 
######################### 
END_POINT=10
#Assign MYNAME
COUNTER=2 
while [ $COUNTER -le $END_POINT ] 
do 
DATAHEADER=`echo $DATA | cut -s -d'_' -f$COUNTER` 
if [ `echo $DATAHEADER'check'` = MYNAMEcheck ] 
then 
let COUNTER=$COUNTER+1 
MYNAME=`echo $DATA | cut -s -d'_' -f$COUNTER` 
break 
fi 
let COUNTER=$COUNTER+1 
done

echo your name is $MYNAME”
”
echo “</body></html>”

Now you can test your script. Access the cgi script from assignment 3 enter in your name and press the submit button.

Questions

What happens if I have an underscore in my name?

Assignment 5 - Extending the form

Add in an extra box on your cgi script from assignment 3 to ask your age.

Copy this code in your assignment 4 cgi script

END_POINT=10
#Assign MYNAME
COUNTER=2 
while [ $COUNTER -le $END_POINT ] 
do 
DATAHEADER=`echo $DATA | cut -s -d'_' -f$COUNTER` 
if [ `echo $DATAHEADER'check'` = MYNAMEcheck ] 
then 
let COUNTER=$COUNTER+1 
MYNAME=`echo $DATA | cut -s -d'_' -f$COUNTER` 
break 
fi 
let COUNTER=$COUNTER+1 
done

Paste it below so that it appears twice. Now modify it to capture your new variable.

Assignment 6 - Checking the data

We are now going to do some modifications so that we check the captured data.

Paste this function into your cgi-script from assignment 4 below the DATA=`cat | tr -cd 'A-Za-z0-9\._:\-'` line.

function show_status { 
echo '<SCRIPT language="Javascript">' 
echo 'alert("'$MESSAGE'");' 
echo '</script>' 
echo "</body></html>" 
exit 
}

Add this set of code in a suitable place:

######################### 
#Check data 
######################### 
#Check to see that myname is not blank 
if [ $MYNAME'null' = null ] 
then 
MESSAGE=$ERRORMSG1 
show_status 
fi

Now test that it all works by leaving your name blank and submitting the form.

Modify the script to make sure that only a number is captured from the age field – hint tr

Questions

Is there another way of checking if a variable is blank?

Assignment 7 - Special Characters

Data transmitted through apache may contain special characters. The tr command will keep them out of the data but there are times when you actually need them.

You can see some of the special characters at the link below:

http://perishablepress.com/press/2007/02/19/url-character-codes/

Modify the tr command in your cgi script from assignment 4 to allow % characters to pass through.

Use the command below to convert %20 to a space character.

MYNAME=`echo $MYNAME | sed 's/%20/ /g'`

Test your script by adding in a full name with a space in it in your form.

Comments

Its better to only convert special characters just before you actually need them.

Section 2 - Web Management Information

Web Management Paths - installation areas

CGI Scripts

/opt/karoshi/serversetup/web_controls/cgi/pdc/admin

/opt/karoshi/serversetup/web_controls/cgi/pdc/tech

/opt/karoshi/serversetup/web_controls/cgi/pdc/staff

/opt/karoshi/serversetup/web_controls/cgi/pdc/all

Language

/opt/karoshi/serversetup/web_controls/language

Sudo scripts

/opt/karoshi/serversetup/web_controls/scripts/exec/pdc

Install Script

/opt/karoshi/serversetup/web_controls/setup_web_controls

Web Management Paths - installed areas

CGI Scripts

/var/www/cgi-bin_karoshi/admin

/var/www/cgi-bin_karoshi/tech

/var/www/cgi-bin_karoshi/staff

/var/www/cgi-bin_karoshi/all

Language

/opt/karoshi/web_controls/language

Sudo scripts

/opt/karoshi/web_controls/exec

Web Management Data flow

A typical action in the web management would following the following data handling:

Cgi script 1 – displays web form in the correct language and theme for the user.

Cgi script 2 – Captures the data sent from cgi script1. If the data passes the data checks the data is then sent along with an md5sum of the second cgi script to a third script that runs with elevated privileges using sudo.

Sudo script 3 – Captures data from cgi script 2 , final data checks, logs of action, carry out the action.

Web Management Security

Apache

The web management pages are currently served using an apache web server running as a different user and group from the standard apache user. This means that in the event of normal web pages being compromised on the server the web management will remain seperate.

Starting and stopping apache service for the web management

Service apache_karoshi start/stop

Passwords

Access to the web management is controlled by the htaccess password mechanism built into apache. By default access to the web management is through ssl only to ensure that passwords are not sent in plain text.

The staff section of the web management uses htaccess to connect to the ldap server resulting in them being able to use their standard usernames and passwords.

Access to the tech and admin areas of the web management uses separate authentication for security reasons.

MD5sums

All of the cgi scripts used in the web management have a random string appended to the bottom of them as a comment on installation. These random strings mean that the md5sums for scripts will be unique on different servers. The checksum information as per installation is stored in /opt/karoshi/web_controls/checksums. This area can only be access by the root user. When an action is carried out on the web management the second cgi script that captures the data will send the information and the md5sum of itself using sudo to a script with elavated privileges. If the md5sum does not match the md5sum stored in /opt/karoshi/web_controls/checksums then the script will terminate and the error will be logged.

The easiest way to develop new pages for the web management is to create new scripts in the correct installation paths and then run the setup script again which will create a new set of md5sums.