running a shell script via cgi web interface

Author	All Replies
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users Find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr.. 1 edit	running a shell script via cgi web interface Does anyone know of any pitfalls that could be biting me in the rear in a scenario like this? I know running a shell script via cgi is frowned upon, but the server in question is a work based one behind multiple firewalls and also requiring a login. My real problem seems to be getting it to execute a shell script where creation of a local file is required. I'm passing a variable, let's use "router1.clli" as an example, via the cgi script and it seems to work fine. If i was at the cli I'd type "sh script.sh router1.clli" but then it gets to the part of the script like "echo router config >> /tmp/router_command.txt" it just never does it. Is there a native security feature that apache has configured to prevent it from working? I've even tried putting a "touch router_command.txt" and a "chmod 777 router_command.txt" in the script. I'm just not sure if apache by default can create any type of file even if it's via shell script. -- My Blog. Because I desperately need the acknowledgement of others. Visit the Judd Family website to see my kids!
	to forum · permalink · · 2009-06-01 20:02:04 ·
Sir Meowmix III @windstream.net	Could it be that the CWD is not what you expect it to be, essentially, the CGI code should be running under the Apache users (often it's either http or nobody) and Apache does not have permissions to write in the CWD (current working directory).
	to forum · permalink · 2009-06-01 20:09:56 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users Find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr..	well i was doing the output to the /tmp/ directory which is not the CWD...but I do think that the file ownership is "nobody". If that's the case and "nobody" can never create a file even with a shell script then am I pretty much SOL? -- My Blog. Because I desperately need the acknowledgement of others. Visit the Judd Family website to see my kids!
	to forum · permalink · · 2009-06-01 20:18:12 ·
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T U-Verse ·AT&T Midwest	reply to Dennis I am not aware of any problem with that. I'm pretty sure I am using some shell scripts for cgi, though I don't recall whether they write to files. Do your web server logs provide any useful information? -- AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10
	to forum · permalink · · 2009-06-01 20:33:20 ·
Sir Meowmix III @windstream.net	reply to Dennis I believe that 'nobody' should be able to write to /tmp without issue, would you mind sharing the code here? I'm assuming it's written in Bash? How are you handling, in the code, the HTTP POST/GET? How are you sure it's working correctly, are you able to echo it back and see it? Are you correctly reading the CGI input from stdin?
	to forum · permalink · 2009-06-01 21:16:03 ·
pablo2525 join:2003-06-23 ·TekSavvy Solutions..	reply to Dennis I'm running `sh' scripts as CGI's without any issue. I made the following modification to my `vhosts.d' `conf' file: apache code: ... AddHandler cgi-script sh </Directory> and my shell scripts have to end with `.sh' To get around having to parse input, I symlink to the actual script as follows: base name + _ + switch The shell script itself tears $0 apart to find out the switch to use. Cheers, -- pablo openSUSE 11.0;KDE ISP: TekSavvy DSL; backhauled via a 6KM wireless link
	to forum · permalink · · 2009-06-01 22:34:07 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users Find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr.. 1 edit	reply to Sir Meowmix III well, here is the jist of the code...at least the part I am having problems with. I have to remove some bits of it since it's for work and all... here's teh cgi: #!/usr/local/bin/perl print "Content-type: text/html\n\n" ; print <<EOF ; <html> <FORM METHOD=POST ACTION="dennis.sh"> <P><FONT COLOR="#ddd20f" FACE="Trebuchet MS"><B>Enter data to pass to script below </B></FONT><BR> <INPUT NAME="NAME" TYPE="text" SIZE="25" VALUE="enter your data here"><BR> </FONT</P> <P> <center><INPUT TYPE=submit VALUE="Send"> </center> </p> </FORM> </html> EOF exit ; and here is the shell script called dennis.sh cat dennis.sh #!/bin/sh echo "Content-type: text/plain" echo touch /tmp/$1_log.txt chmod 777 /tmp/$1_log.txt touch /tmp/$1_cmd.txt chmod 777 /tmp/$1_cmd.txt echo copy run $1.cnf force > /tmp/$1_cmd.txt echo copy $1.cnf binconfs:/$1.cnf force >> /tmp/$1_cmd.txt echo sh conf exclu int atm \> $1_base.scr >> /tmp/$1_cmd.txt echo copy $1_base.scr binconfs:/$1_base.scr force >> /tmp/$1_cmd.txt echo sh conf cat int exclu int gig exclu int fa \> $1_atm.scr >> /tmp/$1_cmd.txt echo copy $1_atm.scr binconfs:/$1_atm.scr force >> /tmp/$1_cmd.txt Those touches in the beginning....never happen. I works just fine when I do it from the cli of course...but not via apache. I originally added them in order try and fix this problem but tit seems they don't. And of course the $1 is the variable I'm passing. When I have it use a pre-existing file (which won't work for me, was only for testing) then this is the ownership I get. ls -las /tmp/status_out.txt 16 -rwxrwxrwx 1 nobody nogroup 7287 Jun 1 17:04 /tmp/status_out.txt -- My Blog. Because I desperately need the acknowledgement of others. Visit the Judd Family website to see my kids!
	to forum · permalink · · 2009-06-02 09:18:39 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users Find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr..	reply to pablo2525 said by pablo2525 : I made the following modification to my `vhosts.d' `conf' file: I don't have a "vhosts.d" file...only a httpd.conf one which seems to have something similar # To use CGI scripts: # #AddHandler cgi-script .cgi # -- My Blog. Because I desperately need the acknowledgement of others. Visit the Judd Family website to see my kids!
	to forum · permalink · · 2009-06-02 09:46:01 ·
Sir Meowmix III	reply to Dennis I think the issue is that the value you're passing via HTTP post is not inserted into $1, like it would be if it were called from the CLI. You need to accept the HTTP POST in a different way. quote: For forms that use METHOD="POST", CGI specifications say that the data is passed to the script or program in the standard input stream (stdin), and the length (in bytes, i.e. characters) of the data is passed in an environment variable called CONTENT_LENGTH. So you need to read from STDIN, assign it to a variable, and use it instead of $1. See »www.tcl.tk/man/aolserver3.0/cgi-ch4.htm
	to forum · permalink · 2009-06-02 09:55:51 ·
Sir Meowmix III	reply to Dennis Something like: read -n $CONTENT_LENGTH HTTP_POST Where $HTTP_POST needs to be used instead of $1 in your code.
	to forum · permalink · 2009-06-02 10:00:56 ·
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL	reply to Dennis Those touches in the beginning....never happen. That's probably because "$1" is undefined. -- AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10
	to forum · permalink · · 2009-06-02 10:02:38 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users Find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr.. 2 edits	said by nwrickert : Those touches in the beginning....never happen. That's probably because "$1" is undefined. ....ok well so if that's the case then if the touches are indeed happening, there must be frament files in the /tmp directory... 49# ls -las /tmp/*.txt 16 -rwxrwxrwx 1 nobody nogroup 219 Jun 2 09:28 /tmp/_cmd.txt 0 -rwxrwxrwx 1 nobody nogroup 0 Jun 2 09:28 /tmp/_log.txt so yeah, ok.....the variable must not be passing. So $1 is just a cli variable, and $HTTP_POST would be necessary in its stead. I'll try that and see what happens. -- My Blog. Because I desperately need the acknowledgement of others. Visit the Judd Family website to see my kids!
	to forum · permalink · · 2009-06-02 10:31:03 ·
Sir Meowmix III	reply to Dennis $HTTP_POST is arbitrary, it was a declared variable from the 'read' statement I posted earlier. If you're going to use $HTTP_POST be sure to use the 'read' statement as well.
	to forum · permalink · 2009-06-02 10:52:38 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users Find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr..	said by Sir Meowmix III : $HTTP_POST is arbitrary, it was a declared variable from the 'read' statement I posted earlier. If you're going to use $HTTP_POST be sure to use the 'read' statement as well. Ok, you mean to make sure I use it in the shell script...right? I should have mentioned that I know nothing earlier I'm trying to learn but really I'm trying to learn to run before walking.... -- My Blog. Because I desperately need the acknowledgement of others. Visit the Judd Family website to see my kids!
	to forum · permalink · · 2009-06-02 11:02:35 ·
Sir Meowmix III	reply to Dennis Dennis - Glad to help, please post a picture (kidding) ;) I've not done CGI in a VERY long time, so you might want to do some testing to ensure that $HTTP_POST only contains the content of the POST itself and it's delimited with a QUERY_STRING style syntax. Ideally, your new code would be similar to below, assuming additional parsing of $HTTP_POST isn't necessary: #!/bin/sh echo "Content-type: text/plain" #Read HTTP POST contents into $HTTP_POST read -n $CONTENT_LENGTH HTTP_POST echo touch /tmp/$HTTP_POST_log.txt chmod 777 /tmp/$HTTP_POST_log.txt touch /tmp/$HTTP_POST_cmd.txt chmod 777 /tmp/$HTTP_POST_cmd.txt echo copy run $HTTP_POST.cnf force > /tmp/$HTTP_POST_cmd.txt echo copy $HTTP_POST.cnf binconfs:/$HTTP_POST.cnf force >> /tmp/$HTTP_POST_cmd.txt echo sh conf exclu int atm \> $HTTP_POST_base.scr >> /tmp/$HTTP_POST_cmd.txt echo copy $HTTP_POST_base.scr binconfs:/$HTTP_POST_base.scr force >> /tmp/$HTTP_POST_cmd.txt echo sh conf cat int exclu int gig exclu int fa \> $HTTP_POST_atm.scr >> /tmp/$HTTP_POST_cmd.txt echo copy $HTTP_POST_atm.scr binconfs:/$HTTP_POST_atm.scr force >> /tmp/$HTTP_POST_cmd.txt
	to forum · permalink · 2009-06-02 11:07:37 ·
Sir Meowmix III	reply to Dennis s/and it's delimited with a QUERY_STRING/and it's not delimited with a QUERY_STRING/g
	to forum · permalink · 2009-06-02 11:08:48 ·
pablo2525 join:2003-06-23 ·TekSavvy Solutions..	reply to Dennis Howdy, Ugh, my writing wasn't especially clear. I'm sorry. Let me try again. In /etc/apache2/vhosts.d, my `conf' file has the above entry. In my case, I created a random file named `hostname`.conf baseed on `vhost.template' My distribution is openSUSE but I figure the above is true in most (all?) apache installations. Of course the root pathing may be different. I hope the above helps. Cheers, -- pablo openSUSE 11.0;KDE ISP: TekSavvy DSL; backhauled via a 6KM wireless link
	to forum · permalink · · 2009-06-02 13:27:01 ·
LarryWall @no-ptr.set	reply to Sir Meowmix III You also want to make sure you do input validation on user-supplied data. Something like: die unless ($input =~ m/[a-z0-9/i); The above is PERL that only allows alpha-numeric characters. Nothing like OS command injection to get your web server 0wned.
	to forum · permalink · 2009-06-02 14:01:46 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users Find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr.. 3 edits	well I tried changing the variables, but got these errors /usr/local/apache/dennis.sh: -n: is not an identifier [Tue Jun 2 16:07:20 2009] [error] [client xxx.xxx.xxx.xxx] Premature end of script headers: /usr/local/apache/dennis.sh tried to echo it out into a test file but no joy so the syntax must be off #!/bin/sh #Read HTTP POST contents into $HTTP_POST read -n $CONTENT_LENGTH HTTP_POST echo $HTTP_POST > /tmp/test.txt update: I did just get this to work.... read input echo "Content-type: text/plain" echo $input > /tmp/echo.txt gave me... 25# cat /tmp/echo.txt NAME=router2.clli -- My Blog. Because I desperately need the acknowledgement of others. Visit the Judd Family website to see my kids!
	to forum · permalink · · 2009-06-02 17:09:00 ·
Dennis Premium,Mod join:2001-01-26 Algonquin, IL ·AT&T Yahoo Host: Chicago Users Find Hot Deals Users find Hot Dea.. Requests for Hot D.. Home Repair & Impr..	If only there was some way for me to read that text file back into a variable.... read input #echo "Content-type: text/plain" echo $input > /tmp/router.txt cut -d= -f2 /tmp/router.txt > /tmp/router2.txt cat /tmp/router2.txt > $1 The above however did not work....:( -- My Blog. Because I desperately need the acknowledgement of others. Visit the Judd Family website to see my kids!
	to forum · permalink · · 2009-06-02 18:07:15 ·


Sunday, 29-Nov 22:58:19	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF