CGI/Remote Commands on Web Servers

ilikeperl has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: CGI/Remote Commands on Web Servers by wazoox (Prior) on May 02, 2008 at 13:40 UTC
Where's my crystal ball? Oh, it rolled under the desk once again. Well, hum, let's blow the dust that covers it... Here we are... So you are using a Microsoft Windows server, isn't it? I don't know the release for sure, the image in the crystal ball isn't very clear (or is it the dust? or maybe my glasses?). And the web server, what can it be? IIS, I suppose. Well, never mind. Your web server runs under a particular user identity. To achieve you goal, you must ensure that your web server user is able to : access the directory where live the programs you want it to run; execute the programs you want it to run (from explorer, right-click, Properties, Security tab, add the minimal rights(execution only) for the web server user, normally IUSR_<machinename>). instead of juggling with authorizations on system executables, you may make copies in a special directory and give the rights on these copies instead; however these copies may not be updated automatically, among other problems.	[reply]
Re^2: CGI/Remote Commands on Web Servers by Anonymous Monk on May 02, 2008 at 14:50 UTC
Thanks for the replies. Unfortunately, I'm still getting problems. I've followed your advice wazoox and there is an IIS user account on the web server which I've given read/execute permissions for the executables I want to run (specifically now, psexec.exe). Its still not running it though - its as if it runs half of psexec and then hangs. I'll confess to being a complete novice when it comes to IIS - anyone know of anything online that I can read up about it?	[reply]
Re^3: CGI/Remote Commands on Web Servers by wazoox (Prior) on May 02, 2008 at 15:22 UTC
Show Us The Fine Code, dude. My crystal balls has ran out of batteries, and it gets old quickly to play this guessing game. Maybe it works but doesn't display output because you forgot http headers, perhaps it gives some information in the IIS logs, etc. Show the code you wrote, and look at the webserver logs.	[reply]
Re^3: CGI/Remote Commands on Web Servers by NetWallah (Canon) on May 02, 2008 at 19:41 UTC
psexec ? - Isn't that the program that lets you run code on a remote machine ? The IUSER_<computername> account is a LOCAL account, that, by default/design allows execution only on the local machine. If you need something exotic, try using the runas command to impersonate another identity and execute something. But (warning) this may be a security hazard, because you need to supply the password via STDIN. "How many times do I have to tell you again and again .. not to be repetitive?"	[reply]
Re: CGI/Remote Commands on Web Servers by TOD (Friar) on May 02, 2008 at 10:16 UTC
first of all, it is always safe not to let any cgi script execute a system command. but apart from this (admittedly somewhat superstitious) advice: put copies from the programs you want to execute on the same directory where the cgi script is residing, modify their access rights so that the cgi is able to call them - and pray. ^^ -------------------------------- masses are the opiate for religion.	[reply]
Re^2: CGI/Remote Commands on Web Servers by Cody Pendant (Prior) on May 02, 2008 at 10:54 UTC
Why would they need to be in the same directory? Nobody says perl looks like line-noise any more kids today don't know what line-noise IS ...	[reply]
Re^3: CGI/Remote Commands on Web Servers by Anonymous Monk on May 03, 2008 at 09:06 UTC
To easily exploit the server	[reply]
Re^2: CGI/Remote Commands on Web Servers by Anonymous Monk on May 02, 2008 at 10:24 UTC
advice: put copies from the programs you want to execute on the same directory where the cgi script is residing, modify their access rights so that the cgi is able to call them - and pray. ^^ No, don't do that. That is borderline criminal advice.	[reply]


Think about Loose Coupling
	PerlMonks