Re: Run arbitrary UNIX commands on webserver without telnet

in reply to Run arbitrary UNIX commands on webserver without telnet

While I think we can all agree that telnet is NOT perfect, I don't think it's wise to allow people to post to a CGI script, and then running arbitary commands on a server.

Even if you are using authenication/authorisation to restrict people from using this script, and the script runs with limited priviledges, and is sandboxed off from the rest of the web server, I still think it's not wise.

If your hosting company doesn't allow SSH or Telnet then I think a better host is a better solution than a script like this.

I've just seen your caveat, I'm pleased you think it's dangerous, I still thinks it's a dangerous thing to do, even if only temporarily.

Comment on Re: Run arbitrary UNIX commands on webserver without telnet

Replies are listed 'Best First'.
Re(dmm): Run arbitrary UNIX commands on webserver without telnet by dmmiller2k (Chaplain) on Oct 30, 2001 at 23:41 UTC
While I think we can all agree that telnet is NOT perfect, I don't think it's wise to allow people to post to a CGI script, and then running arbitary commands on a server. First, with all its warts, if telnet were available I would never have resorted to this approach. Second, please read my reply to jeffa (below, I think), regarding ``allowing people ... running arbitrary commands on a server.'' Finally, when you are working for actual paying clients, you don't always get a say in which hosting company they choose. In short, Dangerous? Yes. Necessary? Occasionally. Ever leave accessible and executable after logging off? Never Allow users (even friendly ones) to use it? Never, on penalty of losing Web Developer license dmm You can give a man a fish and feed him for a day ... Or, you can teach him to fish and feed him for a lifetime	[reply]
Re: Re(dmm): Run arbitrary UNIX commands on webserver without telnet by rrwo (Friar) on Nov 08, 2001 at 10:01 UTC
Finally, when you are working for actual paying clients, you don't always get a say in which hosting company they choose. If the paying client cares about the quality of work, they'll use a hosting company or buy extra services needed to get the work done. My experience is that the clients that are too cheap with their money to buy basic services and software should be avoided. (Yes, there are cases where the client can't afford a lot of extras and you have to go through hoops, but there's a minimum set of tools you need.) And if I were a client and found out my consultant was using hacks which could jeopardize the security of my web site and potentially get my web site taken down by angry sysadmins... well, the consultant would be out on his/her arse in no time and I'd be in contact with some lawyers.	[reply]
Re: (3): Run arbitrary UNIX commands on webserver without telnet by dmmiller2k (Chaplain) on Nov 08, 2001 at 20:32 UTC
Look, at one particular client I required the installation of a perl module from the CPAN (irrelevant which one, except that it involved the compilation of one or two .xs files). Using a similar "hack" (albeit a hardcoded one, see here), I was able to run the standard '`perl Makefile.PL; ...; make install`' sequence to get the thing built and installed (locally at least -- fortunately there was an available compiler, etc.) and to continue working. The directory containing the alleged "hack" was protected by .htaccess; plus, as soon as the compilation was finished, I 'chmod -x 'ed the script, and later removed it when I was certain I had done everything I needed to do. dmm You can give a man a fish and feed him for a day ... Or, you can teach him to fish and feed him for a lifetime	[reply] [d/l]

In Section Craft