Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

CGI, application context and security

by ady (Deacon)
on Apr 07, 2007 at 18:13 UTC ( [id://608845]=perlquestion: print w/replies, xml ) Need Help??

ady has asked for the wisdom of the Perl Monks concerning the following question:

Fellow monks,

I'm new to Perl CGI, and in my first stab at an application i'm wrestning with the issue of how to call from the perl cgi program context out to processes and programs in the general OS environment.

My CGI app is running in a Win2K and IIS setup on our intranet (thus relaxed security), and when I call for instance `ps.exe` to get a process list, i seemingly get a small list from the CGI application appartment only, and not the full list from the general OS-environment.

I've scanned the docs for an explanation, but not found any, but maybe the distinguished Perl sangha can enlighten this poor monk...

Best regards,
Allan Dystrup

update
Example : this Perl program called using backticks from my cgi does nothing. When called from the commandline, it kills the cruisecontrol process (as requested)... Seems a security issue of a sort, but what ? 
#!/usr/bin/perl -w
use strict;
use warnings;
use Data::Dumper;

my (@ccnet, $ccpid);
@ccnet = split(/\n/, `ps`);
@ccnet = grep(/ccnet.exe/, @ccnet);    
($ccpid) = "@ccnet" =~ /\s+(\d+)\s+/;
$ccpid and kill('HUP', $ccpid);

[download]

Replies are listed 'Best First'.
Re: CGI, application context and security
by chromatic (Archbishop) on Apr 07, 2007 at 19:35 UTC

    I don't use IIS or Windows, but I seem to recall that the default setup uses a low-privileged user account to run programs via CGI. That account probably cannot see all of the processes running on the system.

    There are lots of potential solutions, including granting additional privileges to that account. That may have security implications, however.

[reply]
      Yes, i agree that this must be a sec. issue. I've granted the internet guest/anon acct. and the NTLM accounts the nexessary read&exec rights to the cgi-bin folder with the programs in question, -- but the problem persists. Arrrgghh! Will sleep, and have a look at it tomorrow. Thanks! -- allan
[reply]
Re: CGI, application context and security
by ww (Archbishop) on Apr 08, 2007 at 01:28 UTC

    Do you have a "Win2K and IIS setup" that knows about `ps` ?? After copy-pasting your code to ady.pl, execution on my w2k goes like this:

    C:\_wo_ww>perl ady.pl
    'ps' is not recognized as an internal or external command,
    operable program or batch file.

    C:\_wo_ww>
    And which version of windoze that knows anything from HUP?

    I think you may wish to clarify by answering the question "what's running where?"

    There's another puzzle for me, the doubled-backticks around ps, used as if for quoting: Is this a browser artifact or typo or ???

[reply]
[d/l]
      hi ww,

      The ps.exe is a unix-util from MKS, but it was installed with restricted access rights on my Windows, -- thus it failed;

      ps.exe knows about HUP, as does Perl IPC.

      And yes, there should be only `single backticks` equal to qx// to backquote quote a string.

      Best regards
      allan
[reply]
Re: CGI, application context and security
by ady (Deacon) on Apr 08, 2007 at 18:19 UTC

    chromatic, ww && eric256

    You are all right : MS IIS uses the default IUSR_<machine> for anon access, and this user must have appropriate ACL privileges (R.X) set for the relevant groups in order to access files from the CGI program.

    Read more... (1176 Bytes)

    Changing the privileges for the IUSR and the file ACL fixed the access problem; Then of course I ran into another issue (the IUSR wasn't authorized to access the VSS-database on a network share...), but now i know how to tweak the IIS user privileges in order to allow the CGI-program to access the necessary resources.

    The HTTP/CGI programming model, and not the least: the security model, is significantly different from developing rich clients. I found these ref's usefull for a Perl CGI beginner...
    Course
    TroubleShoot

    And then I'm switching to Perl Win32 modules instead of external utility programs for a more robust solution.

    Best regards
    allan
[reply]
[d/l]
[select]
Re: CGI, application context and security
by eric256 (Parson) on Apr 08, 2007 at 15:31 UTC

    In Apache web scripts get run as a special user. You have to give that user the permissions to do the things you need. I don't know how that translates to IIS and Win2K but i'm sure there are similar issues. So find out what user your scripts are getting run as, and then figure out how to change its permissions.


    ___________
    Eric Hodges
[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://608845]
Approved by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others goofing around in the Monastery: (2)
As of 2024-04-26 04:55 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found