开发者

How do I run shell commands in a CGI program as the nobody user?

问答 作者:

I want to run shell commands in a CGI program (wr开发者_如何学运维itten in Perl). My program doesn’t have root permission. It runs as nobody. I want to use this code: 

use strict;
system <<'EEE';
awk '{a[$1]+=$2;b[$1]+=$3}END{for(i in a)print i, a[i], b[i]|"sort -nk 3"}' s.txt
EEE

I can run my code successfully with perl from the command line but not as a CGI program.

Based on the code in your question, there are at least four possibilities for failure.

  1. The nobody user does not have permission to execute your program.
  2. The Perl code in your question has no shebang (#!) line. You are trying to run awk, so I assume you are running on some form of Unix. If your code is missing this line, then your operating system does not know how to run your program.
  3. The file s.txt is either not in the executing program’s working directory, or it is not readable by the nobody user.
  4. For whatever reason, awk is not reachable via the PATH of your executing program’s environment.

To quickly diagnose such low-level problems, try to have all error output to show up in the browser. One way to do this is adding the following just after the shebang line in your code.

BEGIN {
    print "Content-type: text/plain\n\n";
    open STDERR, ">&", \*STDOUT or print "$0: dup: $!";
}

The output will render as plain text rather than HTML, but this is a temporary measure to see your program’s output. By wrapping it in a BEGIN block, the code executes as soon as it parses. Redirecting STDERR means your browser also gets anything written to the standard output.

Another way to do this is with the CGI::Carp module.

use CGI::Carp 'fatalsToBrowser';

This way, errors go to the browser and also to the web server’s error log.

If you still see 500-series errors from your server, the problem is happening at a lower level: probably some failure to start perl. Go examine your server’s error log. Once your program is executing, you can remove this temporary redirection of error output.

Finally, I recommend changing your program to

#! /usr/bin/perl -T

BEGIN { print "Content-type: text/plain\n\n"; }

use strict;
use warnings;

$ENV{PATH} = "/bin:/usr/bin";

my $input = "/path/to/your/s.txt";

my $buckets = <<'EOProgram'
{ a[$1] += $2; b[$1] += $3 }

END { for (i in a) print i, a[i], b[i] }
EOProgram

open STDIN, "-|", "awk", $buckets, $input or die "$0: open: $!";
exec "sort", "-nk", 3                     or die "$0: exec: $!";

The -T switch enables a security dataflow analysis called taint mode that prevents you from using unsanitized input on system operations such as open, exec, and so on that an attacker (or benign user supplying unexpected input) could use to harm your system. You should always add -T to CGI programs and any other code that runs on behalf of another user.

Given the nature of your awk program, a content type of text/plain seems reasonable. Output it as soon as possible.

With taint mode enabled, be explicit about the value of your PATH environment variable. If instead you stick with whatever untrusted PATH your program inherits, attempting to run external programs will fail.

Nail down the full path of your input. This will eliminate surprises.

Using the multi-argument forms of open and exec eliminates the shell and its argument parsing. (For completeness, system also has a similar multi-argument form.) Yes, writing it this way can mean being a little more deliberate (such as breaking out the arguments and setting up the pipeline yourself), but it also avoids nasty surprises.

I'm sure nobody is allowed to run shell commands. The problem is that nobody doesn't have permission to open the file s.txt. Add read permission for everyone to s.txt, and add execute permission to everyone on every directory up to s.txt.

I would suggest finding out the full qualified path for awk and specifying it directly. Likely the nobody that launched httpd had a very minimal path in its $ENV{PATH}. Displaying the $ENV{PATH} I am guessing will show this.

This is a good thing, I wouldn't modify the path, but just specify the path /usr/bin/awk or what not.

If you have shell access and it works, type 'which awk' to find this out.

i can run my codes successfully in perl file but not in cgi file.

What web server are you running under? For instance, apache requires printing a CGI header i.e. print "Content-type: text/plain; charset=utf-8\n\n", or 

use CGI;
my $q = CGI->new();
print $q->header('text/html');

(See CGI)

Apache will conplain in the log (error.log) about "premature end of script headers" IF what I said is the case.

You could just do it inline without having to fork out to another process...

if ( open my $fh, '<', 's.txt' ) {
    my %data;
    while (<$fh>) {
        my ($c1,$c2,$c3) = split;
        $data{a}{$c1} += $c2;
        $data{b}{$c1} += $c3;
    }
    foreach ( sort { $data{b}{$a} <=> $data{b}{$b} } keys %{ $data{b} } ) {
        print "$_ $data{a}{$_} $data{b}{$_}\n";
    }

} else {
    warn "Unable to open s.txt: $!\n";
}

继续阅读:cgiperlsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9