Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > how to use system call within a cgi script

Reply
Thread Tools

how to use system call within a cgi script

 
 
Grant
Guest
Posts: n/a
 
      10-14-2008
On Tue, 14 Oct 2008 12:24:09 -0700, Tim Greer <(E-Mail Removed)> wrote:

>Grant wrote:
>
>> On 11 Oct 2008 23:25:58 GMT, John Bokma <(E-Mail Removed)> wrote:
>>
>>>ReggieC <(E-Mail Removed)> wrote:
>>>
>>>> Hi there,
>>>>
>>>> I have to execute an executable from a CGI script written in perl.
>>>> I cannot do that even
>>>> with a very simple test like:
>>>> $result = system("mkdir test1");
>>>> $result = system("mkdir ", "test1");
>>>> exec('mkdir test1');
>>>
>>>Read perldoc -f exec
>>>
>>>Remove the exec, and try again, does it now work?
>>>
>>>> but always got 500 Internal Service Error.
>>>
>>>Always copy error messages, don't type them yourself.

>>
>> Oops, I meant to add an example, this is from a .cgi here (awk):
>> ...
>> # create a unique output filename
>> cmd = "mktemp public/cc2ip.XXXXXX"; cmd | getline out;
>> close(cmd)
>>
>> # make the output filename world writable and append .txt
>> system("touch " out " && chmod a+rw " out " && mv " out " "
>> out ".txt") out = out ".txt"
>> ...

>
>You probably don't want to make it world writable unless you have a good
>reason, assuming they even need that those of permissions.


Oh, in this case the first .cgi hands off (after validation of parms) to
another script which is run as 'nobody' :/ Hence the world writable public
directory. Several attempts to merge both scripts resulted in far slower
performance, awk is funny like that.

But there's nothing else inside public except for a blank index.html to
thwart the curious

>> The matching web directory:
>> -r-sr-xr-x 1 grant wheel 3104 2008-10-05 09:07 cc2ip.cgi*
>> -rwxrwxr-x 1 grant wheel 11570 2008-10-12 06:35 index.html*
>> -rwxrwxr-x 1 grant wheel 444 2008-10-05 09:07 lookup-ip*
>> drwxrwxrwx 2 grant wheel 184 2008-10-12 00:02 public/
>> drwx-w---- 2 grant wheel 128 2008-10-12 11:32 server/

>
>Glad to see nothing is setguid there.


No, that's what the C security wrapper is for!
>
>World write is indeed sometimes needed for some people, and is fine if
>they aren't on a shared server, but I'd just recommend against it if
>you're on a server that other users are on.


I have full control of the server here, and in any case it's unlikely
somebody could guess the random name of an ephemeral (sp?) file that is
purged after only 2 days. And methods other thn get|head result in 403.
>
>Anyway, yeah, just check the logs, print the proper header for CGI and
>be sure to check your calls and catch (and log or report) any
>errors/failures.


When I'm doing web development I have three logging terminals open:
access_log, error_log and rewrite.log.

Grant.
--
http://bugsplatter.id.au
 
Reply With Quote
 
 
 
 
Tim Greer
Guest
Posts: n/a
 
      10-14-2008
Grant wrote:

> On Tue, 14 Oct 2008 12:24:09 -0700, Tim Greer <(E-Mail Removed)>
> wrote:
>
>>Grant wrote:
>>
>>> On 11 Oct 2008 23:25:58 GMT, John Bokma <(E-Mail Removed)>
>>> wrote:
>>>
>>>>ReggieC <(E-Mail Removed)> wrote:
>>>>
>>>>> Hi there,
>>>>>
>>>>> I have to execute an executable from a CGI script written in perl.
>>>>> I cannot do that even
>>>>> with a very simple test like:
>>>>> $result = system("mkdir test1");
>>>>> $result = system("mkdir ", "test1");
>>>>> exec('mkdir test1');
>>>>
>>>>Read perldoc -f exec
>>>>
>>>>Remove the exec, and try again, does it now work?
>>>>
>>>>> but always got 500 Internal Service Error.
>>>>
>>>>Always copy error messages, don't type them yourself.
>>>
>>> Oops, I meant to add an example, this is from a .cgi here (awk):
>>> ...
>>> # create a unique output filename
>>> cmd = "mktemp public/cc2ip.XXXXXX"; cmd | getline out;
>>> close(cmd)
>>>
>>> # make the output filename world writable and append .txt
>>> system("touch " out " && chmod a+rw " out " && mv " out " "
>>> out ".txt") out = out ".txt"
>>> ...

>>
>>You probably don't want to make it world writable unless you have a
>>good reason, assuming they even need that those of permissions.

>
> Oh, in this case the first .cgi hands off (after validation of parms)
> to
> another script which is run as 'nobody' :/ Hence the world writable
> public
> directory. Several attempts to merge both scripts resulted in far
> slower performance, awk is funny like that.
>


I would agree, that is fine. I just meant that I wouldn't recommend
that on a shared server with other users (this is fine if the system
isn't shared by potentially malicious users or other users that might
have insecure scripts that malicious users could use as a gateway into
the server). However, for your own server, an unprivlieged user is
better (as you're doing and know), and I did realise after I posted,
that your were making an example of an existing script and not actually
suggesting they allow world write if they don't need to. Forgive me
for misreading your follow up.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Running CGI from within CGI rodmc Python 3 02-14-2008 03:33 PM
what's wrong calling a Perl/CGI script in Perl/CGI script under Tomcat server? kath Perl Misc 4 04-09-2007 09:21 PM
use CGI; vs use CGI qw(:standard); Guy Perl Misc 4 12-11-2003 11:56 PM
How Do I Use CGI->System Call As CronJob? Public Interest Perl Misc 10 10-31-2003 11:00 PM



Advertisments