Running UNIX cmds via WWW

[JaybOt]

Hi all,


My Basic request .....
I want to create a web page to allow me to enter a command into a form, and on submition of the form, the command needs to be executed (on server) and the results either sent to a file (which will then be opened by another page) or the results will be shown on the current page.

Leading to ....
The other thing i want to do is to be able to enter a url or FTP location into a form, when submit is clicked i need to add the input (e.g. ftp://ftp.cdrom.com/filetoget.tar)
to a file (adding the fetch -l command before each line)
This file will then be executed by cron at a later date (midnight) to download the file(s) listed (each added by the script)basicaly so i can schedule downloads remotly!

And Finally ....
How can i monitor/read mail subject! Basicaly i want to do the same as above (fetch files) but i want to submit my downloads by e-mail. So i need to read all incomming e-mails 'subject' on reciving mail, and for !Download in the subject i want to use grep to find the line starting ... 'fetch' and output this to the same file for downloading later.

Any help much appriciated!

Cheers!


Work, Frag, Eat, Frag, Sleep, Frag, wo..

 

[stillflame]

it would be a very dangerous thing indeed to do this. letting anyone with a browser have any ability to control the unix functions being executed is an open door for hacks. if you are to do this, you should either have lots of security to get onto the page or lots and lots of security checks in the script itself, preventing potentially dangerous commands from being executed, or both.
implementation of this would be really simple. once you have the command to be executed, and it's been checked for dangerousness, put it in backtiks (`) and print up the page with the resulting text or whatever else you want to do. you could also do it by opening a pipe ([tt]open(A_PIPE, "command |&quot[/tt]). the script will be execucted as user nobody, so any system calls will also be as user nobody. you really shouldn't change this, or even allow commands that would change it through. you'll also not automatically be able to save a session as each instance of the script will be it's own subshell(in fact each call to the system from the script as well, no?). complex things will therefore have to be chained together, but will then have to be altered so that the return text would be captured from each one.
(does anyone know for sure, would "[tt]command |;command |; command |[/tt]" work? or would you have to do something like "[tt]command1 |[/tt]" followed by "[tt]command1;command2 |[/tt]" and then "[tt]command1;command2;command3 |[/tt]"? i'm not sure, but the first method looks like it would work.)

in the adding ftp things to a file, that's as easy as appending things (open the file with '>>' in front of it). however, the idea of then executing that line unchecked is not so good... you are in need of a little security here as well.

for reading through mail, you could use Net:OP3, or just read in the user in question's mailbox and parse it from there... research either of those for more on how to do them.

just some suggestions. hope they lead you in the right direction. "If you think you're too small to make a difference, try spending a night in a closed tent with a mosquito."

 

[JaybOt]

Thanks for your responce stillflame,

These are intended to be 'hidden' pages of data each with security checks and passwords to be used by only one user, me! This system is only experimental, for now.

security on a system like this goes without saying (including SOLID stelth firewall with only 1 ip allowed to connect, encryption key and paasword system) as i am new to perl, could you go into a little more detail about using brackets.. maybe an exaple ... Please!
The commands will have output redirected with >> to a file, then the browser will be redirected to another page which would read the output file produced by the command.

The 'ftp' download page would have a link to a page also that would read and display the contents of the actual file to be executed, allowing me to check it remotly, and maybe edit it (using the first method i asked about earlier)

 

[goBoating]

JayBot,
I'm not trying to be insulting. Rather, I hope I am giving good advice in saying that you appear to have a very shallow knowledge of Perl and CGI and are playing dangerous games. I almost wrote this in your 'inet.conf' post and did not because I did not want to discourage you. I then found this post where I am again struck by the potentially disasterous nature of what you are trying to do combined with your appearent inexperience.

I don't want to discourage, just sound a loud note of warning.
The chores discussed above are dangerous ones to learn on. The cost of poor code could be very high. Maybe ....Learn some Perl, Learn some CGI, and then leverage competent skills against your chores.

Be careful or you will get spanked. (Either by someone else, or, more probably self-inflicted.)

Humbly submitted for your consideration.
HTH


keep the rudder amid ship and beware the odd typo

 

[tsdragon]

I know why he might need to do what he's asking. I wrote a perl script to allow me to enter and execute unix shell commands via my web browser too (and YES, it IS a protected page). If you have an ISP that does not allow shell accounts this is a very handy way to get around it. I understand the security issues, but don't a lot of web sites have "admin" functions that do dangerous things too (e.g. displaying all online orders)? You either hide them or password protect them, or both.
Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.

 

[goBoating]

I advocate making computers do what ever you need them to do..... but... "The three great virtues of a programmer: Laziness, Impatience, and Hubris." -- Larry Wall.

hubris - very great pride and belief in your own importance. -- a dictionary

That hubris stuff can get you into some real trouble.
There are many appropriate uses of such hidden or secure pages. However, (I don't mean to be picking on JayBot) such tricks are dangerous if not done correctly. I only caution against building such 'dangerous' tricks until the developer has a complete understanding of the situation and is competent with the skill needed.

'just my two cents and I'll shut up now ;-)


keep the rudder amid ship and beware the odd typo

 

[tsdragon]

goBoating is correct, and the warnings the others have given are appropriate, but not reasons not to do it.

One things to remember if you do execute a unix command via a perl program: make sure you KNOW which directory the command is being executed on. Since cgi programs normally run in the cgi-bin or cgi-local directory, this may end up being the default directory when you execute the command. I'd suggest the FIRST command you test is pwd. Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.

 

[JaybOt]

Thanks for all you comments, they have not been taken lightly, and i am obviously a new perl user otherwise i would not be here - i was just looking for a soulution to a problem that i have been working on, in order to impove my skills.

as suggested, what i'm doing does open up a whole world of problems, this i am aware off and so in turn i will be incouraged to look at at ways to solve these problems also, thus improving my knowledge.

i have been a pc enginner / programmer for over 10 years, using delphi, vb, and other languages, just trying to learn 1 more.

 

[tsdragon]

I can give you a place to start: I have a form which has two frames. The top frame contains a textarea to enter unix commands and a submit button. The bottom frame contains the output from a shell script. When you submit the form in the top frame it takes the commands entered into the text box and builds a shell script, then refreshes the bottom frame so it runs that shell script. It works quite well, and allows you to use cut-and-paste on your commands in the text area, and to enter multiple commands at one time. Just remember that, since you are running a cgi-script, it will be executed in the cgi directory, so your first command is usually 'cd ..'.

I can email or post the code next week if you really want. Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.

 

[JaybOt]

Thanks tsdragon, that woould be great if you could post it, in the meantime here's the code i'm using, can you tel me where i'm going wrong.

The calling HTML page

<HTML>
<HEAD>
<TITLE>Connect to the internet</TITLE>
</HEAD>
<BODY>
<div align=&quot;center&quot;>
<h2>To bring the line up click 'connect' button.</h2>
<form name=&quot;inetup&quot; method=&quot;post&quot; action=&quot;/cgi-bin/up.pl&quot;>
<table>
<tr><td colspan=&quot;2&quot; align=&quot;center&quot;><input type=&quot;submit&quot; name=&quot;submit&quot; value=&quot;Connect&quot;></td></tr>
</table>
</form>
</div>
</BODY>
</HTML>

up.pl - in the cgi-bin dir

#!/usr/bin/perl -w
print &quot;Content-type: text/plain\n\n&quot;;
print &quot;<HTML>\n&quot;;
print &quot;<HEAD>\n&quot;;
print &quot;<TITLE>Bringing the line UP ...</TITLE>\n&quot;;
print &quot;</HEAD>\n&quot;;
print &quot;<BODY>\n&quot;;
print &quot;<H1>PPP line is UP.</H1></P>&quot;;
print &quot;<H2>You ARE connected to the internet.</H2></P>&quot;;
$Result_String = system (`/root/lineup|`);
print &quot;</BODY>\n&quot;;
print &quot;</HTML>\n&quot;;


also tried this with ...

open(LINEUP, system&quot;`/home/lineup|`&quot;
while (<LINEUP>) {
@lines = <LINEUP>;
print @lines;
}
close LINEUP;

and ...

$Result_String = system (`/usr/sbin/ppp -alias -ddial proxy`);

The '/home/lineup' script

#!/bin/sh
echo Bringing the line up ...
/usr/sbin/ppp -alias -ddial proxy
/sbin/ifconfig | /usr/bin/grep inet
echo Done!
echo LINEUP

Thanks for your help.

 

[tsdragon]

You really don't even need a perl program to do what you want. Change your form statement to action=&quot;/cgi-bin/lineup.sh&quot;, copy the lineup.sh script into your cgi-bin directory and chmod it to 0755. This way the form will call the shell script directly (there is no reason a cgi script can't be a shell script). If you want HTML output, just have the shell script echo the content-type header and html. Like this:

echo "Content-type:text/html"
echo &quot;<html<head><meta http-equiv=\&quot;Pragma\&quot; content=\&quot;no-cache\&quot;></head>&quot;
echo &quot;<body><pre>&quot;
your shell commands go here
echo &quot;</pre></body></html>&quot;

Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.

 

[tsdragon]

JayBot: I have the shell command html forms and perl script available. However, considering the justifiable concern that some of the above posters had about it, instead of posting it here why don't you email me and I'll send you a zip file. My email is tracy@bydisn.com.
Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.

 

[fortytwo]

This is some code I used a long time ago (not great code, but it is old) to run a few shell commands here and there.

[tt]#!/usr/local/bin/perl

use CGI qw/:standard :netscape/;

$command = param(&quot;command&quot;
@input = `$command 2>&1`;

print &quot;Content-type: text/html\n\n&quot;;
print &quot;&!<br>\n&quot;;

print&quot;<br>\n&quot;;
print &quot;<form action=command.pl method=post>\n&quot;;
print &quot;<input type=text name=command size=60 value=\&quot;$command\&quot;>\n&quot;;
print &quot;<input type=submit value=\&quot;hit me\&quot; name=submit>\n&quot;;
print qq~ </form>
<br>
<hr>
<br>
~;
foreach $input (@input)
{
print &quot;$input<br>\n&quot;;
}
[/tt]

You would obviously want to work out a way of preventing unauthorised use.

fortytwo
will@hellacool.co.uk

http://www.hellacool.co.uk

 

[tsdragon]

Check out

http://www.bydisn.com/software/ShellCommander

Tracy Dryden
tracy@bydisn.com

Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.