CGI + IIS + Win32::Service == Doh!

mdog has asked for the wisdom of the Perl Monks concerning the following question:

Brethern --

This one is killing me. I've got a very simple script that when called from the command line, will stop any service I specify but when over the HTTP, looks like it executes OK but doesn't do anything to the service.

I have gone into the service I want to mess with (under properties), toggled to the "Log on" pane and made sure to check the "Allow service to interact with desktop" for ALL IIS related services.

This is clearly some permissions problem, but I'm stumped. This is WinXP and IIS 6, BTW.

Thanks,
mdog


use CGI qw/:standard escape unescape/;
use Win32;
use Win32::Service;

my $Server = "";
my %statusCode;
$statusCode{1} = "Stopped";
$statusCode{4} = "Started";

my $serviceName = $ARGV[0];
my $action = $ARGV[1];

main();



sub main{
    print header;
    print "hi";
    stopService($Server,"MSFtpsvc");
    
    #if($action eq "start"){
    #    startService($Server,$serviceName);
    #} elsif($action eq "stop"){
    #    stopService($Server,$serviceName);
    #}
    #ServiceState();
    
}

sub ServiceState{
    my %status;
    Win32::Service::GetStatus($Server, $serviceName, \%status);
    print qq|Service $serviceName is currently: | . $statusCode{$statu
+s{CurrentState}} . "\n";    
}




#*********************************************************************
# Stop/Start service
sub stopService
{
    my ($Server, $Service) = @_ ;
    my %status;
    
    Win32::Service::GetStatus($Server, $Service, \%status);
    if($status{CurrentState} eq "4"){
        Win32::Service::StopService($Server, $Service); 
    }
    sleep 5;    
    Win32::Service::GetStatus($Server, $Service, \%status);
    if($status{CurrentState} ne "4"){
        print "$Service is stopped\n";
    }

}
sub startService
{
    my ($Server, $Service) = @_ ;
    my %status;
    Win32::Service::GetStatus($Server, $Service, \%status);
    if($status{CurrentState} ne "4"){
        Win32::Service::StartService($Server, $Service);
    }
    sleep 5;    
    Win32::Service::GetStatus($Server, $Service, \%status);
    if($status{CurrentState} eq "4"){
        print "$Service is started\n"
    }
}
[download]

Comment on CGI + IIS + Win32::Service == Doh! Download Code

Replies are listed 'Best First'.
Re: CGI + IIS + Win32::Service == Doh! by NetWallah (Canon) on Feb 14, 2004 at 21:59 UTC
If you do not have any specific IIS permissions on the CGI script, it will run as IUSER_Machine_Name, which probably does not have the rights to srart/stop services. I suggest taking OFF anonymous access to the CGI script - then it will inherit the ID from whoever logs-on. "When you are faced with a dilemma, might as well make dilemmanade. "	[reply]
Re: Re: CGI + IIS + Win32::Service == Doh! by paulbort (Hermit) on Feb 15, 2004 at 20:35 UTC
You should be very careful when changing the account that CGI runs as. You're giving anyone who finds a vulnerability in IIS, or your script, way too much access to your box. There are safer ways to do this. One of the easiest is to have the CGI script write a flag file, or a row in a database table (if it already has DB access for something else) that tells a back-end process what to do. The back end then (a) has permissions to do things, and (b) isn't a script that's exposed to the outside world. Yes, you're writing two scripts instead of one, but the reduction in risk is worth it. -- Spring: Forces, Coiled Again!	[reply]
Re: Re: CGI + IIS + Win32::Service == Doh! by mdog (Pilgrim) on Feb 15, 2004 at 18:49 UTC
Many thanks! I obviously hadn't thought to change the permissions at the ISM level. Went in and changed who was running the script with anonymous access from IUSER to my account and everything worked great! Thanks again! mdog	[reply]
Re: Re: Re: CGI + IIS + Win32::Service == Doh! by NetWallah (Canon) on Feb 16, 2004 at 01:09 UTC
Like paulbort says, it is a security hazard to have the script running privileged commands for anybody. My suggestion was to remove Anonymous access - this would require some other form of User authentication before the script was run - either "Integrated NT", or Cleartext. If you are on the Internet, I would recommend Cleartext over HTTPS. "Experience is a wonderful thing. It enables you to recognize a mistake when you make it again."	[reply]