adam_blackice has asked for the wisdom of the Perl Monks concerning the following question:

hello all .., i want to make a simple cgi script that takes itis parameters from a text field in a form

first i create the form page that is command.pl 
#!/usr/bin/perl -w 

print "Content-type: text/html\n\n";


print"<html><head><title>User-add Page</title></head>";
print"<body>";
print"<H1>Enter Your userName</H1>";
print"<form method='post' action='webmin.pl'>";
print"name: <input type='text' name='name' size=40>";
print"<br>";
print"<input type='submit' value='Submit'><br>";
print"<br>";
print"<input type='reset' value='Clear'>";
print"<br>";
print"</form>";
print"</body></html>";

[download]


second i made the action page (webmin.pl) that the output will be printed in 
 
#!/usr/bin/perl -w
use CGI;
$cgi=new  CGI;

print $cgi->header();

print $cgi->body("<p><center><h1> User add page</p><center></h1>"), $c
+gi$

$input = $cgi->param('name');

$name = system "useradd $input";


print "anew user has been added to you system :$name";

print $cgi->end_html();

[download]

i tried to run that every thin was fine and the action page printed .....
but when i checked for the user i cannot find him on my system ! .....
and if i want to add apassword option for this script i can make it with the same way ..... by
adding password option in form and point to it in the action script with the same way
system "passwod $input2" ?

Replies are listed 'Best First'.
Re: cgi script error
by graff (Chancellor) on Apr 09, 2007 at 01:11 UTC
    Um... is that the linux "useradd" program you're trying to run from the web server? Isn't that a "root-only" activity -- and rightly so?

    Only root (superuser), or a user to whom root has granted "sudo" access for the "useradd" command, is allowed to use this tool, and this is a good thing, because you really don't want just anyone to be able to do this -- certainly not the web server (which typically runs under a special user account with carefully limited permissions).

    Apart from not wanting a web page where anyone can come in and create a linux user account for themselves (that would be spammer/hacker heaven!), you also really do not want a string passed in via a cgi POST to be passed directly to a command-line shell, which is what you are doing with that system call. This is another thing that malicious hackers really love to see.

    Read up on taint checking in perlsec and maybe use the PM SuperSearch to look up stuff on taint checking. (I'll bet there's stuff in the Tutorials wing that will be very helpful for you.)

[reply]
Re: cgi script error
by f00li5h (Chaplain) on Apr 09, 2007 at 01:53 UTC

    $name = system "useradd $input";

    perldoc -f system tells us that "The return value [of system] is the exit status of the program".

    You want to check that with something like 0 == system @command_and_args or die "system didn't do it for me: $?" ( using the 0== so as to get something false when system returns a non-zero exit code allowing the use of use or die that folks are used to)

    Also, some general complaining about style. All the prints in your first script (that generate the html form) would look less "smelly" if you were to use a heredoc or other quotelike or just a plain html file instead of a perl script.

    I like your use of print $cgi->header(); in the second script, too.

    @_=qw; ask f00li5h to appear and remain for a moment of pretend better than a lifetime;;s;;@_[map hex,split'',B204316D8C2A4516DE];;y/05/os/&print;
[reply]
[d/l]
[select]
      thanx for you help ...,
      but iam a newbie that want to make asimple program that
      adminstarte the lunix enviroment
      how can i think about that ?
      i think when iam using the system function i can use it to administarte the linux enviroment throw it..
      So how can i think about something like that
      and thanx for all
[reply]

        It won't help you with your perl, but there are many other controll panels which do all of that and more.

        If you're just wanting to do it as an exercise, I'd say admin on a unix-like is not a good starting project.

        To do it, you'd need a daemon running as root (so you have the permissions) that is given commands through some sort of queue mechanism (like a table in a database or some funky inter process communication to get the messages across. Running CGI scripts as root is likely to end badly even if you do all the things listed in perlsec (like using -T)

        Proc::Daemon will give you your daemon, you can just connect to the database, and then check (say every minute) for rows in the stuff_to_do table...

        'tis a big task...

        Also there was an example of your useradd in either Perl for System Administration or Automating UNIX and Linux Administration. I'm not sure which.

        @_=qw; ask f00li5h to appear and remain for a moment of pretend better than a lifetime;;s;;@_[map hex,split'',B204316D8C2A4516DE];;y/05/os/&print;
[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom