Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: Run arbitrary UNIX commands on webserver without telnet

by ajt (Prior)
on Oct 30, 2001 at 19:43 UTC ( #122106=note: print w/ replies, xml ) Need Help??


in reply to Run arbitrary UNIX commands on webserver without telnet

While I think we can all agree that telnet is NOT perfect, I don't think it's wise to allow people to post to a CGI script, and then running arbitary commands on a server.

Even if you are using authenication/authorisation to restrict people from using this script, and the script runs with limited priviledges, and is sandboxed off from the rest of the web server, I still think it's not wise.

If your hosting company doesn't allow SSH or Telnet then I think a better host is a better solution than a script like this.

I've just seen your caveat, I'm pleased you think it's dangerous, I still thinks it's a dangerous thing to do, even if only temporarily.


Comment on Re: Run arbitrary UNIX commands on webserver without telnet
Re(dmm): Run arbitrary UNIX commands on webserver without telnet
by dmmiller2k (Chaplain) on Oct 30, 2001 at 23:41 UTC
    While I think we can all agree that telnet is NOT perfect, I don't think it's wise to allow people to post to a CGI script, and then running arbitary commands on a server.

    First, with all its warts, if telnet were available I would never have resorted to this approach.

    Second, please read my reply to jeffa (below, I think), regarding ``allowing people ... running arbitrary commands on a server.''

    Finally, when you are working for actual paying clients, you don't always get a say in which hosting company they choose.

    In short,

    • Dangerous? Yes.
    • Necessary? Occasionally.
    • Ever leave accessible and executable after logging off? Never
    • Allow users (even friendly ones) to use it? Never, on penalty of losing Web Developer license

    dmm

    
    You can give a man a fish and feed him for a day ...
    Or, you can teach him to fish and feed him for a lifetime
    
      Finally, when you are working for actual paying clients, you don't always get a say in which hosting company they choose.

      If the paying client cares about the quality of work, they'll use a hosting company or buy extra services needed to get the work done. My experience is that the clients that are too cheap with their money to buy basic services and software should be avoided.

      (Yes, there are cases where the client can't afford a lot of extras and you have to go through hoops, but there's a minimum set of tools you need.)

      And if I were a client and found out my consultant was using hacks which could jeopardize the security of my web site and potentially get my web site taken down by angry sysadmins... well, the consultant would be out on his/her arse in no time and I'd be in contact with some lawyers.

        Look, at one particular client I required the installation of a perl module from the CPAN (irrelevant which one, except that it involved the compilation of one or two .xs files). Using a similar "hack" (albeit a hardcoded one, see here), I was able to run the standard 'perl Makefile.PL; ...; make install' sequence to get the thing built and installed (locally at least -- fortunately there was an available compiler, etc.) and to continue working.

        The directory containing the alleged "hack" was protected by .htaccess; plus, as soon as the compilation was finished, I 'chmod -x 'ed the script, and later removed it when I was certain I had done everything I needed to do.

        dmm

        
        You can give a man a fish and feed him for a day ...
        Or, you can teach him to fish and feed him for a lifetime
        

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://122106]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (13)
As of 2014-12-22 14:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (119 votes), past polls