Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Running Bash Commands From Apache
windisch
post Aug 17 2005, 09:35 AM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 1
Joined: 17-August 05
Member No.: 5,395



I have a shoutcast server running on my Fedora Core 3 server. I would like
to setup a simple wepage to have buttons to skip and request songs.
I am having trouble finding out how to send bash commands through Apache. I
tried a walk-though using cgi, but I couldn't get it working.
Does anyone have some suggestions/tips?
Thanks,
Adam Windisch
Go to the top of the page
 
+Quote Post
DS2K3
post Aug 17 2005, 12:05 PM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,284
Joined: 14-November 04
From: Southampton, Hampshire
Member No.: 4,165



You can, as you tried, use CGI to this, or you could use a scripting language like PHP.

Since this iisnt really that complex, CGI might be easier. First off, check Apache supports cgi-scripts. A defualt isntallation allows cgis to be run only inside a special "cgi-bin" directory. Next, you need to create the shell scripts. A sample script is below:

CODE
#!/bin/bash
echo -e "Content-Type: text/htmlnn";

echo "<b>Hello World!</b>"


The first two lines are needed, but after that you can do antything. Make sure that the file is executable by the webserver (normally the user is "httpd", so, "chown httpd" "chmod 0744")

D


--------------------
Fixed your problem? Let us know!
richard@linuxhelp.net

www.Gathr.co.uk Online Event Management
Go to the top of the page
 
+Quote Post
Termina
post Aug 17 2005, 09:04 PM
Post #3


RMS is my Hero
******

Group: Support Specialist
Posts: 862
Joined: 18-February 04
From: Wisconsin
Member No.: 2,404



I've always had problems with CGI, but using PHP + exec() is useful.

If you have other users with access to your machine, make sure that safe_mode is on in php.ini

http://us2.php.net/manual/en/function.exec.php


--------------------
*Points finger at the author above him* They're a witch! Burn them!
---
Vist my website!
Join me in IRC! Server: st0rage.org Channel: #UnhandledExceptions
Go to the top of the page
 
+Quote Post
DS2K3
post Aug 18 2005, 02:54 AM
Post #4


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,284
Joined: 14-November 04
From: Southampton, Hampshire
Member No.: 4,165



If you do go the PHP route, then safe_mode is not strictly necessary, provided that PHP/Apache have their own user/group and arent run as root. I have never used a hosting company that turned safe_mode on.

Keep in mind that if Apche/PHP DOES hasve it's own group, that group must have permission to use the commands/files that you specify in the PHP script, otherwise you will get an error and nothing good will happen.

passthru() and the proc_open() commans might also be useful, but it depends on what you want to do with the output fom the commands.

D


--------------------
Fixed your problem? Let us know!
richard@linuxhelp.net

www.Gathr.co.uk Online Event Management
Go to the top of the page
 
+Quote Post
Termina
post Aug 18 2005, 07:34 AM
Post #5


RMS is my Hero
******

Group: Support Specialist
Posts: 862
Joined: 18-February 04
From: Wisconsin
Member No.: 2,404



QUOTE (DS2K3 @ Aug 18 2005, 02:54 AM)
If you do go the PHP route, then safe_mode is not strictly necessary, provided that PHP/Apache have their own user/group and arent run as root.  I have never used a hosting company that turned safe_mode on.

Keep in mind that if Apche/PHP DOES hasve it's own group, that group must have permission to use the commands/files that you specify in the PHP script, otherwise you will get an error and nothing good will happen.

passthru() and the proc_open() commans might also be useful, but it depends on what you want to do with the output fom the commands.

D

I'll assume three things.

1) Apache is run as 'apache', or 'nobody'
2) Safe_mode is not turned on
3) Apache can view the contents of a users directory (or even worse, CHANGE the contents of a users directory), atleast public_html (assuming you're letting users have personal websites, which apache will probably allow by default)

Excellent, now a malicous user can view files that were only hidden from users, as well as view (and possibly edit) the contents of other people's home directories. happy.gif

Safe_mode + php_admin_value open_basedir /home/user (in apache virtual host settings) is the only way I've seen to stop this from happening. I could be wrong though. *shrugs*

This is especially bad if

QUOTE
<?php
echo exec('ls /usr/local/apache2/htdocs');
echo exec('cat /usr/local/apache2/htdocs/safe.php');
echo exec('cat /usr/local/apache2/conf/httpd.conf');
echo exec('ls /home');
echo exec('cat /home/otherguy/public_html/safe.php');
?>


I might just be paranoid though. <.<


--------------------
*Points finger at the author above him* They're a witch! Burn them!
---
Vist my website!
Join me in IRC! Server: st0rage.org Channel: #UnhandledExceptions
Go to the top of the page
 
+Quote Post
DS2K3
post Aug 18 2005, 08:36 AM
Post #6


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,284
Joined: 14-November 04
From: Southampton, Hampshire
Member No.: 4,165



But, provided that people dont keep files world writable, the scope for damage is limited. Generally, if home directories themselves are only accessible by the owner and group (provided the system is setup with apache under a different group to the user) then home directories are safe. There is the possiblility of a malicious usaer snooping around, but like I said, I have never come across a good web host that uses safe_mode. I guess you need to weigh security versus functionality.

I certainly wouldnt turn safe_mode on unless I was giving away free hosting with no audit trail or backup system. Just a matter of personal preference I suppose.

D


--------------------
Fixed your problem? Let us know!
richard@linuxhelp.net

www.Gathr.co.uk Online Event Management
Go to the top of the page
 
+Quote Post
Termina
post Aug 18 2005, 08:49 AM
Post #7


RMS is my Hero
******

Group: Support Specialist
Posts: 862
Joined: 18-February 04
From: Wisconsin
Member No.: 2,404



Ah, good point. =)

My biggest concern is a person putting sensitive information (system password, remote system password, mysql password) in a PHP file, and having another person read it.

If you can trust all the people on the system, it's not a big deal. biggrin.gif


--------------------
*Points finger at the author above him* They're a witch! Burn them!
---
Vist my website!
Join me in IRC! Server: st0rage.org Channel: #UnhandledExceptions
Go to the top of the page
 
+Quote Post
DS2K3
post Aug 18 2005, 09:25 AM
Post #8


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,284
Joined: 14-November 04
From: Southampton, Hampshire
Member No.: 4,165



hmmm, database passwords are always a bit of a difficult point. Having said that, I guess if you are really paranoid, you could use the "byte encoder" extension to compile the $password = 'pass'; script, then include() it - And the password would not be readable.

Perhaps not a realistic solution though


--------------------
Fixed your problem? Let us know!
richard@linuxhelp.net

www.Gathr.co.uk Online Event Management
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 18th October 2017 - 11:42 AM