# How to execute system commands via cgi



## antuan (May 21, 2017)

For a simple purpose of learning and testing, I try to execute system commands in a virtual machine via cgi scripts in an apache server. For example: create a user or turn off and reboot the computer.
I just want to get an idea of how to do it, and maybe to create my own web services.

Thank you for all that could clarify me


----------



## ShelLuser (May 21, 2017)

First: you're in the wrong forum. This forum is all about porting new software, aka: trying to add it to the FreeBSD ports collection, a better choice would have been the Web and Network Services forum. Don't get me wrong here: it's not the end of the world, but picking the right forum is also in your best interest because your question will get more attention from people interested in that same topic.

_Aaaanyway...._



antuan said:


> For a simple purpose of learning and testing, I try to execute system commands in a virtual machine via cgi scripts in an apache server. For example: create a user or turn off and reboot the computer.
> I just want to get an idea of how to do it, and maybe to create my own web services.


First of all be very careful here and ensure that you lock down your environment, otherwise it could be abused by others.

As to how to do this...  A CGI script (Common Gateway Interface) is already by design a script which executes on the console. An often used approach is to use Perl for this, but other languages are usable too of course.

All you basically need to do is to set up Apache with CGI support, then write the actual script (also explained on that same webpage).

Keep one important thing in mind though: your script will most likely be executed under the same process ID which the webserver uses (probably www with UID 80 (see /etc/passwd as well as your Apache configuration)). Which means that some system commands are most likely offlimits. Shutting down your server for example.

I suppose you could try to use security/sudo to set this up; this would allow you to grant a specific user account to run specific commands while raising its security status to root.

Hope this gives you some ideas.


----------



## antuan (May 22, 2017)

I apologize, I did not pay attention to what forum I was. I will therefore close this one and put it back in the right place


----------



## antuan (May 22, 2017)

For a simple purpose of learning and testing, I try to execute system commands in a virtual machine via cgi scripts in an apache server. For example: *create a user* or _*turn off* _and *reboot* the computer.
I just want to get an idea of how to do it, and maybe to create my own web services.

I have set up apache that I use with CGI, and everything works fine with ordinary scripts (*scripts that do not touch the system*). I also installed *sudo* With this configuration:

`ALL(ALL) NOPASSWD: ALL`

To run my scripts with *sudo*; but this is not functional as is.

What interests me at the moment is to be able to execute system scripts and once this is done, I would look at the question of security


----------



## SirDice (May 22, 2017)

antuan said:


> What interests me at the moment is to be able to execute system scripts and once this is done, I would look at the question of security


That's the wrong order. Security is not something you can bolt on after the fact. Security needs to be integrated and applications need to be written with security in mind from the start.


----------



## SirDice (May 22, 2017)

antuan said:


> I apologize, I did not pay attention to what forum I was. I will therefore close this one and put it back in the right place


Please don't create a new thread, just wait for a mod or admin to move it. 

Threads, more or less, merged and moved.


----------



## antuan (May 22, 2017)

Ok, I would know from now on.
*About security*: I totally agree that this is the most important, but if I have not done anything yet, on what will I create security rules then?
I recall that I do my tests in a virtual machine (kvm). So all I risk breaking my virtual machine that I created besides in this regard


----------



## drhowarddrfine (May 22, 2017)

This is a very broad topic. You cannot do this with CGI alone except through an application that allows your server to talk to it via CGI.


----------



## antuan (May 22, 2017)

That's why I'm asking the question.


----------



## antuan (May 22, 2017)

And this could probably be instructive for many people


----------



## SirDice (May 22, 2017)

What you probably want to do, the safest option in my opinion, is to create a daemon that listens for commands from the CGI application. The daemon can run on elevated privileges and filter any input being sent from the CGI application. That way there are no elevated privileges needed for the CGI application itself. You do not want to run Apache (or any other web server) as root. You also don't want to have the CGI issue root commands directly, just imagine what this could cause if there's a (shell-injection) vulnerability in the CGI application.


----------



## antuan (May 22, 2017)

such as `service xxxx (start|stop|restart)` in *rc.d* ?


----------



## ShelLuser (May 22, 2017)

antuan said:


> such as `service xxxx (start|stop|restart)` in *rc.d* ?


Keep in mind that this only addresses the rc.d script, not the actual service itself. But yeah, the idea is basically to utilize a daemon of some sort.


----------



## antuan (May 22, 2017)

Ok, I created a service in rc.D, but to run it, how to do it if I am not root


----------



## tingo (May 22, 2017)

sudo(8)?


----------



## pming (May 23, 2017)

I agree with SirDice for setting up a daemon which executes your commands, this is probably the safest option.

Depending on what the commands you want to execute are, you could also use PHP with something like `shell_exec()`. http://php.net/manual/en/function.shell-exec.php

Keep in mind however that this is quite risky and I wouldn't deploy something like this in production without the help of some Webserver / PHP professional.


----------



## antuan (May 24, 2017)

Indeed, this solution seems to be the right option. So, I'm reading in the wiki everything about *rc.d* and the *creation of the demons*


----------



## antuan (Jun 9, 2017)

Well, after felting around the *rc system* to better understand how it works, I was able to accomplish what I wanted. I created a file that I named *testcgi* and in which I put this


```
#!/bin/sh

. /etc/rc.subr

name="testcgi"
rcvar=testcgi_enable
start_cmd="${name}_start"
stop_cmd=":"

load_rc_config $name
: ${testcgi_enable:=no}

testcgi_start(){
    /sbin/shutdown -r now
}

run_rc_command "$1"
```

Then I created a *loadrc.cgi* file


```
#!/bin/sh

echo "Content-type: text/plain"
echo ""

/usr/local/bin/sudo service testcgi start
```

I've allowed *www* to run the *cgi script in sudoers*, and it works in a childish way. So simple that at this point I ask the question: what are the rules of security that must be taken into account?


----------

