nlafferty has asked for the wisdom of the Perl Monks concerning the following question:

In a severe blunder I kill all of my sshd processes. Without telnet enabled I thought that there maybe a way to restart sshd with a cgi-script. Although I know this is insecure, is it possible and safe for that limited amount of time that I need it? What would be included in such a script? Any comments/help welcomed.

Replies are listed 'Best First'.
Re: execute a program / cgi
by ignatz (Vicar) on Apr 17, 2002 at 21:30 UTC
    This is a bad path to go down. One severe blunder does not justify another. 
    ()-()
 \"/
  `                                                   `
[reply]

      Moreover, in any sane set-up you can't. cgi scripts are run with the permission of user nobody... And this user definitively can't launch sshd, you must be root to do it.

      Cheers
      Leo TheHobbit
      GED/CS d? s-:++ a+ C++ UL+++ P+++>+++++ E+ W++ N+ o K? !w O? M V PS+++
      PE-- Y+ PPG+ t++ 5? X-- R+ tv+ b+++ DI? D G++ e*(++++) h r++ y+++(*)
[reply]
Re: execute a program / cgi
by wardk (Deacon) on Apr 17, 2002 at 21:35 UTC
    Since this was a "blunder", perhaps it's a one-time problem? You already know that you don't want to do this sort of thing. Perhaps instead of trying to restart sshd via a CGI script, you'd be better served to work to ensure that this sort of blunder cannot re-occur and address restarting them using an entirely different (and secure) method in case it somehow happens again?

    Seems solving it this way would just be compounding the blunder, not alleviating it!

[reply]
      suggestions? I have ftp and apache running. My first though was to upload into cron.hourly but root isn't allowed to log in to ftp. Not a perl question anymore, but you must have some other methods in mind :) thanks
[reply]

        Sounds like you have only remote access to the box? or is this just a case where you are trying to get a one-time problem resolved in short-time, and can get to it later?

        Based on my SA skills (which is not professional) I would say you either have to get local access to the box, or contact an SA who can to restart the daemon. If the box is properly locked down methinks you should only be able to restart this locally. period.

[reply]
Re: execute a program / cgi
by perrin (Chancellor) on Apr 17, 2002 at 21:41 UTC
    This is easy to solve. Just install one or more scripts from Matt's Script Archive. Then, if you accidentally kill sshd, you can just r00t your box and restart it! By the way, please post the IP of you box after you do this. I have some stuff that I want to mail from it.

    UPDATE: Oh well, I thought it was funny, but I guess not everyone did.

[reply]
      Thanks, you have been very helpful. The ip is 127.0.0.1
[reply]
        The ip is 127.0.0.1

        Sweet! This box has a ton of warez and porn on it! Oh, wait a minute...

[reply]
Re: execute a program / cgi
by ehdonhon (Curate) on Apr 17, 2002 at 22:07 UTC

    In order for this to work, you would need to be able to upload a cgi script with the ability to run as root. If this is actually a possibility for you, then I strongly recommend you reconsider the security precautions you are taking with your webserver. Otherwise, you are enabling any user that can find a vulnerability in your site to potentially gain root access on your server. It is much wiser to let your server run as an un-privileged user.

[reply]

Back to Seekers of Perl Wisdom