Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re(dmm): Run arbitrary UNIX commands on webserver without telnet

by dmmiller2k (Chaplain)
on Oct 30, 2001 at 23:41 UTC ( #122176=note: print w/ replies, xml ) Need Help??


in reply to Re: Run arbitrary UNIX commands on webserver without telnet
in thread Run arbitrary UNIX commands on webserver without telnet

While I think we can all agree that telnet is NOT perfect, I don't think it's wise to allow people to post to a CGI script, and then running arbitary commands on a server.

First, with all its warts, if telnet were available I would never have resorted to this approach.

Second, please read my reply to jeffa (below, I think), regarding ``allowing people ... running arbitrary commands on a server.''

Finally, when you are working for actual paying clients, you don't always get a say in which hosting company they choose.

In short,

  • Dangerous? Yes.
  • Necessary? Occasionally.
  • Ever leave accessible and executable after logging off? Never
  • Allow users (even friendly ones) to use it? Never, on penalty of losing Web Developer license

dmm


You can give a man a fish and feed him for a day ...
Or, you can teach him to fish and feed him for a lifetime


Comment on Re(dmm): Run arbitrary UNIX commands on webserver without telnet
Re: Re(dmm): Run arbitrary UNIX commands on webserver without telnet
by rrwo (Friar) on Nov 08, 2001 at 10:01 UTC
    Finally, when you are working for actual paying clients, you don't always get a say in which hosting company they choose.

    If the paying client cares about the quality of work, they'll use a hosting company or buy extra services needed to get the work done. My experience is that the clients that are too cheap with their money to buy basic services and software should be avoided.

    (Yes, there are cases where the client can't afford a lot of extras and you have to go through hoops, but there's a minimum set of tools you need.)

    And if I were a client and found out my consultant was using hacks which could jeopardize the security of my web site and potentially get my web site taken down by angry sysadmins... well, the consultant would be out on his/her arse in no time and I'd be in contact with some lawyers.

      Look, at one particular client I required the installation of a perl module from the CPAN (irrelevant which one, except that it involved the compilation of one or two .xs files). Using a similar "hack" (albeit a hardcoded one, see here), I was able to run the standard 'perl Makefile.PL; ...; make install' sequence to get the thing built and installed (locally at least -- fortunately there was an available compiler, etc.) and to continue working.

      The directory containing the alleged "hack" was protected by .htaccess; plus, as soon as the compilation was finished, I 'chmod -x 'ed the script, and later removed it when I was certain I had done everything I needed to do.

      dmm

      
      You can give a man a fish and feed him for a day ...
      Or, you can teach him to fish and feed him for a lifetime
      

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://122176]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (7)
As of 2014-07-24 23:14 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (167 votes), past polls