Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL
 ·AT&T Yahoo
Host:
Chicago
Users Find Hot Deals
Users find Hot Dea..
Requests for Hot D..
Home Repair & Impr..
1 edit | running a shell script via cgi web interface Does anyone know of any pitfalls that could be biting me in the rear in a scenario like this?
I know running a shell script via cgi is frowned upon, but the server in question is a work based one behind multiple firewalls and also requiring a login. My real problem seems to be getting it to execute a shell script where creation of a local file is required.
I'm passing a variable, let's use "router1.clli" as an example, via the cgi script and it seems to work fine. If i was at the cli I'd type "sh script.sh router1.clli" but then it gets to the part of the script like "echo router config >> /tmp/router_command.txt" it just never does it.
Is there a native security feature that apache has configured to prevent it from working? I've even tried putting a "touch router_command.txt" and a "chmod 777 router_command.txt" in the script. I'm just not sure if apache by default can create any type of file even if it's via shell script.
--
My Blog. Because I desperately need the acknowledgement of others.
Visit the Judd Family website to see my kids! | |
|
 
Sir Meowmix III
@windstream.net | Re: running a shell script via cgi web interface Could it be that the CWD is not what you expect it to be, essentially, the CGI code should be running under the Apache users (often it's either http or nobody) and Apache does not have permissions to write in the CWD (current working directory). | |
|
 | |
|
Sir Meowmix III
@windstream.net
| I believe that 'nobody' should be able to write to /tmp without issue, would you mind sharing the code here? I'm assuming it's written in Bash?
How are you handling, in the code, the HTTP POST/GET? How are you sure it's working correctly, are you able to echo it back and see it? Are you correctly reading the CGI input from stdin? | |
|
| |
| | 
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | Re: running a shell script via cgi web interface Those touches in the beginning....never happen. That's probably because "$1" is undefined.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10 | |
|
| | | |
pablo2525
join:2003-06-23
·TekSavvy Solutions..
| I'm running `sh' scripts as CGI's without any issue.
I made the following modification to my `vhosts.d' `conf' file:
apache code: ...
AddHandler cgi-script sh
</Directory>
and my shell scripts have to end with `.sh' To get around having to parse input, I symlink to the actual script as follows: base name + _ + switch
The shell script itself tears $0 apart to find out the switch to use.
Cheers,
--
pablo
openSUSE 11.0;KDE
ISP: TekSavvy DSL; backhauled via a 6KM wireless link | |
|
| |
| | pablo2525
join:2003-06-23
·TekSavvy Solutions..
| Re: running a shell script via cgi web interface Howdy,
Ugh, my writing wasn't especially clear. I'm sorry. Let me try again.
In /etc/apache2/vhosts.d, my `conf' file has the above entry.  In my case, I created a random file named `hostname`.conf baseed on `vhost.template'
My distribution is openSUSE but I figure the above is true in most (all?) apache installations. Of course the root pathing may be different.
I hope the above helps.
Cheers,
--
pablo
openSUSE 11.0;KDE
ISP: TekSavvy DSL; backhauled via a 6KM wireless link | |
|
Sir Meowmix III
| I think the issue is that the value you're passing via HTTP post is not inserted into $1, like it would be if it were called from the CLI.
You need to accept the HTTP POST in a different way.
quote:
For forms that use METHOD="POST", CGI specifications say that the data is passed to the script or program in the standard input stream (stdin), and the length (in bytes, i.e. characters) of the data is passed in an environment variable called CONTENT_LENGTH.
So you need to read from STDIN, assign it to a variable, and use it instead of $1. See »www.tcl.tk/man/aolserver3.0/cgi-ch4.htm | |
|
Sir Meowmix III
| Something like:
Where $HTTP_POST needs to be used instead of $1 in your code. | |
|
Sir Meowmix III
| $HTTP_POST is arbitrary, it was a declared variable from the 'read' statement I posted earlier. If you're going to use $HTTP_POST be sure to use the 'read' statement as well. | |
|
| |
Sir Meowmix III
| Dennis - Glad to help, please post a picture (kidding) ;)
I've not done CGI in a VERY long time, so you might want to do some testing to ensure that $HTTP_POST only contains the content of the POST itself and it's delimited with a QUERY_STRING style syntax. Ideally, your new code would be similar to below, assuming additional parsing of $HTTP_POST isn't necessary:
| |
|
|
LarryWall
@no-ptr.set
| Re: running a shell script via cgi web interface You also want to make sure you do input validation on user-supplied data. Something like:
die unless ($input =~ m/[a-z0-9/i);
The above is PERL that only allows alpha-numeric characters. Nothing like OS command injection to get your web server 0wned. | |
|
| | |
| | | |
| | | | |
| | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| The above however did not work... You should be using
echo "$input" > /tmp/router.txt
The quoting prevents reparsing of "$input".
If you just want to write all of stdin to a file, then
cat - > /tmp/router.txt
should accomplish that.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10 | |
|
| | | | | |
Sir Meowmix III
| s/and it's delimited with a QUERY_STRING/and it's not delimited with a QUERY_STRING/g | |
|
|
|
|
