I have a shoutcast server running on my Fedora Core 3 server. I would like
to setup a simple wepage to have buttons to skip and request songs.
I am having trouble finding out how to send bash commands through Apache. I
tried a walk-though using cgi, but I couldn't get it working.
Does anyone have some suggestions/tips?
Thanks,
Adam Windisch

You can, as you tried, use CGI to this, or you could use a scripting language like PHP.

Since this iisnt really that complex, CGI might be easier. First off, check Apache supports cgi-scripts. A defualt isntallation allows cgis to be run only inside a special "cgi-bin" directory. Next, you need to create the shell scripts. A sample script is below:



The first two lines are needed, but after that you can do antything. Make sure that the file is executable by the webserver (normally the user is "httpd", so, "chown httpd" "chmod 0744")

D

I've always had problems with CGI, but using PHP + exec() is useful.

If you have other users with access to your machine, make sure that safe_mode is on in php.ini

http://us2.php.net/manual/en/function.exec.php

If you do go the PHP route, then safe_mode is not strictly necessary, provided that PHP/Apache have their own user/group and arent run as root. I have never used a hosting company that turned safe_mode on.

Keep in mind that if Apche/PHP DOES hasve it's own group, that group must have permission to use the commands/files that you specify in the PHP script, otherwise you will get an error and nothing good will happen.

passthru() and the proc_open() commans might also be useful, but it depends on what you want to do with the output fom the commands.

D

I'll assume three things.

1) Apache is run as 'apache', or 'nobody'
2) Safe_mode is not turned on
3) Apache can view the contents of a users directory (or even worse, CHANGE the contents of a users directory), atleast public_html (assuming you're letting users have personal websites, which apache will probably allow by default)

Excellent, now a malicous user can view files that were only hidden from users, as well as view (and possibly edit) the contents of other people's home directories.

Safe_mode + php_admin_value open_basedir /home/user (in apache virtual host settings) is the only way I've seen to stop this from happening. I could be wrong though. *shrugs*

This is especially bad if



I might just be paranoid though. <.<

But, provided that people dont keep files world writable, the scope for damage is limited. Generally, if home directories themselves are only accessible by the owner and group (provided the system is setup with apache under a different group to the user) then home directories are safe. There is the possiblility of a malicious usaer snooping around, but like I said, I have never come across a good web host that uses safe_mode. I guess you need to weigh security versus functionality.

I certainly wouldnt turn safe_mode on unless I was giving away free hosting with no audit trail or backup system. Just a matter of personal preference I suppose.

D

Ah, good point. =)

My biggest concern is a person putting sensitive information (system password, remote system password, mysql password) in a PHP file, and having another person read it.

If you can trust all the people on the system, it's not a big deal.

hmmm, database passwords are always a bit of a difficult point. Having said that, I guess if you are really paranoid, you could use the "byte encoder" extension to compile the $password = 'pass'; script, then include() it - And the password would not be readable.

Perhaps not a realistic solution though