Help - Search - Members - Calendar
Full Version: Running Bash Commands From Apache
Linuxhelp > Support > Technical Support
windisch
I have a shoutcast server running on my Fedora Core 3 server. I would like
to setup a simple wepage to have buttons to skip and request songs.
I am having trouble finding out how to send bash commands through Apache. I
tried a walk-though using cgi, but I couldn't get it working.
Does anyone have some suggestions/tips?
Thanks,
Adam Windisch
DS2K3
You can, as you tried, use CGI to this, or you could use a scripting language like PHP.

Since this iisnt really that complex, CGI might be easier. First off, check Apache supports cgi-scripts. A defualt isntallation allows cgis to be run only inside a special "cgi-bin" directory. Next, you need to create the shell scripts. A sample script is below:

CODE
#!/bin/bash
echo -e "Content-Type: text/htmlnn";

echo "<b>Hello World!</b>"


The first two lines are needed, but after that you can do antything. Make sure that the file is executable by the webserver (normally the user is "httpd", so, "chown httpd" "chmod 0744")

D
Termina
I've always had problems with CGI, but using PHP + exec() is useful.

If you have other users with access to your machine, make sure that safe_mode is on in php.ini

http://us2.php.net/manual/en/function.exec.php
DS2K3
If you do go the PHP route, then safe_mode is not strictly necessary, provided that PHP/Apache have their own user/group and arent run as root. I have never used a hosting company that turned safe_mode on.

Keep in mind that if Apche/PHP DOES hasve it's own group, that group must have permission to use the commands/files that you specify in the PHP script, otherwise you will get an error and nothing good will happen.

passthru() and the proc_open() commans might also be useful, but it depends on what you want to do with the output fom the commands.

D
Termina
QUOTE (DS2K3 @ Aug 18 2005, 02:54 AM)
If you do go the PHP route, then safe_mode is not strictly necessary, provided that PHP/Apache have their own user/group and arent run as root.  I have never used a hosting company that turned safe_mode on.

Keep in mind that if Apche/PHP DOES hasve it's own group, that group must have permission to use the commands/files that you specify in the PHP script, otherwise you will get an error and nothing good will happen.

passthru() and the proc_open() commans might also be useful, but it depends on what you want to do with the output fom the commands.

D

I'll assume three things.

1) Apache is run as 'apache', or 'nobody'
2) Safe_mode is not turned on
3) Apache can view the contents of a users directory (or even worse, CHANGE the contents of a users directory), atleast public_html (assuming you're letting users have personal websites, which apache will probably allow by default)

Excellent, now a malicous user can view files that were only hidden from users, as well as view (and possibly edit) the contents of other people's home directories. happy.gif

Safe_mode + php_admin_value open_basedir /home/user (in apache virtual host settings) is the only way I've seen to stop this from happening. I could be wrong though. *shrugs*

This is especially bad if

QUOTE
<?php
echo exec('ls /usr/local/apache2/htdocs');
echo exec('cat /usr/local/apache2/htdocs/safe.php');
echo exec('cat /usr/local/apache2/conf/httpd.conf');
echo exec('ls /home');
echo exec('cat /home/otherguy/public_html/safe.php');
?>


I might just be paranoid though. <.<
DS2K3
But, provided that people dont keep files world writable, the scope for damage is limited. Generally, if home directories themselves are only accessible by the owner and group (provided the system is setup with apache under a different group to the user) then home directories are safe. There is the possiblility of a malicious usaer snooping around, but like I said, I have never come across a good web host that uses safe_mode. I guess you need to weigh security versus functionality.

I certainly wouldnt turn safe_mode on unless I was giving away free hosting with no audit trail or backup system. Just a matter of personal preference I suppose.

D
Termina
Ah, good point. =)

My biggest concern is a person putting sensitive information (system password, remote system password, mysql password) in a PHP file, and having another person read it.

If you can trust all the people on the system, it's not a big deal. biggrin.gif
DS2K3
hmmm, database passwords are always a bit of a difficult point. Having said that, I guess if you are really paranoid, you could use the "byte encoder" extension to compile the $password = 'pass'; script, then include() it - And the password would not be readable.

Perhaps not a realistic solution though
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.