How to execute system commands via cgi

antuan

antuan

For a simple purpose of learning and testing, I try to execute system commands in a virtual machine via cgi scripts in an apache server. For example: create a user or turn off and reboot the computer.
I just want to get an idea of how to do it, and maybe to create my own web services.

Thank you for all that could clarify me
 
First: you're in the wrong forum. This forum is all about porting new software, aka: trying to add it to the FreeBSD ports collection, a better choice would have been the Web and Network Services forum. Don't get me wrong here: it's not the end of the world, but picking the right forum is also in your best interest because your question will get more attention from people interested in that same topic.

Aaaanyway....

antuan said:
For a simple purpose of learning and testing, I try to execute system commands in a virtual machine via cgi scripts in an apache server. For example: create a user or turn off and reboot the computer.
I just want to get an idea of how to do it, and maybe to create my own web services.
Click to expand...
First of all be very careful here and ensure that you lock down your environment, otherwise it could be abused by others.

As to how to do this... A CGI script (Common Gateway Interface) is already by design a script which executes on the console. An often used approach is to use Perl for this, but other languages are usable too of course.

All you basically need to do is to set up Apache with CGI support, then write the actual script (also explained on that same webpage).

Keep one important thing in mind though: your script will most likely be executed under the same process ID which the webserver uses (probably www with UID 80 (see /etc/passwd as well as your Apache configuration)). Which means that some system commands are most likely offlimits. Shutting down your server for example.

I suppose you could try to use security/sudo to set this up; this would allow you to grant a specific user account to run specific commands while raising its security status to root.

Hope this gives you some ideas.
 
I apologize, I did not pay attention to what forum I was. I will therefore close this one and put it back in the right place
 
For a simple purpose of learning and testing, I try to execute system commands in a virtual machine via cgi scripts in an apache server. For example: create a user or turn off and reboot the computer.
I just want to get an idea of how to do it, and maybe to create my own web services.

I have set up apache that I use with CGI, and everything works fine with ordinary scripts (scripts that do not touch the system). I also installed sudo With this configuration:

ALL(ALL) NOPASSWD: ALL

To run my scripts with sudo; but this is not functional as is.

What interests me at the moment is to be able to execute system scripts and once this is done, I would look at the question of security
 
antuan said:
What interests me at the moment is to be able to execute system scripts and once this is done, I would look at the question of security
Click to expand...
That's the wrong order. Security is not something you can bolt on after the fact. Security needs to be integrated and applications need to be written with security in mind from the start.
 
antuan said:
I apologize, I did not pay attention to what forum I was. I will therefore close this one and put it back in the right place
Click to expand...
Please don't create a new thread, just wait for a mod or admin to move it.

Threads, more or less, merged and moved.
 
Ok, I would know from now on.
About security: I totally agree that this is the most important, but if I have not done anything yet, on what will I create security rules then?
I recall that I do my tests in a virtual machine (kvm). So all I risk breaking my virtual machine that I created besides in this regard
 
What you probably want to do, the safest option in my opinion, is to create a daemon that listens for commands from the CGI application. The daemon can run on elevated privileges and filter any input being sent from the CGI application. That way there are no elevated privileges needed for the CGI application itself. You do not want to run Apache (or any other web server) as root. You also don't want to have the CGI issue root commands directly, just imagine what this could cause if there's a (shell-injection) vulnerability in the CGI application.
 
I agree with SirDice for setting up a daemon which executes your commands, this is probably the safest option.

Depending on what the commands you want to execute are, you could also use PHP with something like shell_exec(). http://php.net/manual/en/function.shell-exec.php

Keep in mind however that this is quite risky and I wouldn't deploy something like this in production without the help of some Webserver / PHP professional.
 
Indeed, this solution seems to be the right option. So, I'm reading in the wiki everything about rc.d and the creation of the demons
 
Well, after felting around the rc system to better understand how it works, I was able to accomplish what I wanted. I created a file that I named testcgi and in which I put this

Code: 
#!/bin/sh

. /etc/rc.subr

name="testcgi"
rcvar=testcgi_enable
start_cmd="${name}_start"
stop_cmd=":"

load_rc_config $name
: ${testcgi_enable:=no}

testcgi_start(){
    /sbin/shutdown -r now
}

run_rc_command "$1"

Then I created a loadrc.cgi file

Code: 
#!/bin/sh

echo "Content-type: text/plain"
echo ""

/usr/local/bin/sudo service testcgi start

I've allowed www to run the cgi script in sudoers, and it works in a childish way. So simple that at this point I ask the question: what are the rules of security that must be taken into account?
 
You must log in or register to reply here.
Back
Top