In Perl CGI, how can I use UNIX commands? - perl

I'm trying to run ssh, mkdir from a Perl CGI script. It's not working. But in normal Perl script, it is working fine. Can any one tell me how to run commands in a Perl CGI script?

If you're running this script via a webserver, chances are the active user (e.g. "nobody", "www", etc) may not have the necessary privileges to execute commands like mkdir and ssh. If so, that is not something that perl can fix. You can test who the active user is with something like:
print "The active user is: ", `whoami`;
It is also a security concern, to have your web user privileges set to create files and perform commands.

system() or popen() are probably what you're looking for, if you're feeling dirty I think you can use back ticks too.

Do you need to run unix commands? Perl has a built-in mkdir, and there are modules to handle SSH. Normally a CGI process is going to have limited capabilities or access to the system. The more you can do in Perl the better.

Related

Can I setuid a perl script?

I made a perl script to change owner of a file owned by some other user. Script is complete. My administrator save that in /sbin directory and set uid for it using chmod u+s name_of_script. But when I run this script it gives me error that chown operation is not permitted. I made a C program and it works by following same steps. So my question is if setuid is working for perl then I should not get that error because C code did not give me any error. So can i setuid for perl script or I should go with c code.
Don't tell me to ask administrator to change owner each time. Actually in server I have user name staging and I am hosting a joomla site in it. Now when I install some plugin then files related to that plugin are owned by www-data. So that's why I do not want to go to admin each time. Or you can give me some other solution also regarding my problem.
Many unix systems (probably most modern ones) ignore the suid bit on interpreter scripts, as it opens up too many security holes.
However, if you are using perl < 5.12.0, you can run perl scripts with setuid set, and they will run as root. How it works is that when the normal perl interpreter runs, and detects that the file you are trying to execute has the setuid bit set, and it then executes a program called suidperl. Suidperl takes care of elevating the user's privileges, and starting up the perl interpreter in a super-secure mode. suidperl is itself running with setuid root.
One of the consequences of this is that taint mode is turned on automatically. Other additional checks are also performed. You will probably see messages like:
Insecure $ENV{PATH} while running setuid at ./foobar.pl line 3.
perlsec provides some good information about securing such scripts.
suidperl is often not installed by default. You may have to install it via a separate package. If it is not installed then you get this message:
Can't do setuid (cannot exec sperl)
Having said all of that - you would be much better off using sudo to execute actions with elevated privileges. It is much more secure as you can specify exactly what is allowed to be executed via the sudoers file.
As of perl 5.12.0, suidperl was dropped. As a result, if you want to run a perl script on perl >= 5.12.0 with setuid set, you would have to write your own C wrapper. Again I recommend sudo as a better alternative.
No, you cannot use setuid aka chmod +s on scripts. The script's interpreter would be the thing that would actually need to be setuid, but doing that is a really bad idea. REALLY bad.
If you absolutely must have something written in Perl as setuid, the typical thing to do would be to make a small C wrapper that is setuid and executes the Perl script after starting. This gives you the best of both worlds in having a small and limited setuid script but still have a scripting language available to do the work.
If you have a sudo configuration that allows it (as most desktop linux distributions do for normal users), you can start your perl script with this line:
#!/usr/bin/env -S -i MYVAR=foo sudo --preserve-env perl -w -T
Then in your script before you use system() or backticks explicitly set your $ENV{PATH} (to de-taint it):
$ENV{PATH} = '/usr/bin';
Other environment variable that your script explicitly mentions or that get implicitly used by perl itself will have to be similarly de-tainted (see man perlsec).
This will probably (again depending on your exact sudo configuration) get you to the point where you only have to type in your root password once (per terminal) to run the script.
To avoid having to type your password at all you can add a line like this to the bottom of /etc/sudoers:
myusername ALL=(ALL) NOPASSWD:ALL
Of course you'd want to be careful with this on a multi-user system.
The -S options to env splits the string into separate arguments (making it possible to use options and combinations of programs like sudo/perl with the shebang mechanism). You can use -vS instead to see what it's doing.
The -i option to env clears the environment entirely.
MYVAR=foo introduces an environment variable definition.
The --preserve-env option to sudo will preserve MYVAR and others.
sudo sets up a minimal environment for you when it finds e.g. PATH to be missing.
The -i option to env and --preserve-env option to sudo may both be omitted and you'll probably end up with a slightly more extensive list of variables from your original environment including some X-related ones (presumably the ones the sudo configuration considers safe). --preserve-env without -i will end up passing along your entire unsanitized environment.
The -w and -T options to perl are generally advisable for scripts running as root.

parallel SSH in perl

I am trying to create a script in perl which can ssh to multiple hosts (500+), execute a desired command, and show output on the screen. I have done this with the Net::OpenSSH module, as ssh-keys are not configured and I am not allowed to configure those. So, I have to use a thing which can supply the password while doing ssh.
Due to the many connections, it takes considerable time while doing the thing. I searched for "parallel ssh in perl" and discovered that there is a module for opening parallel ssh (Net::OpenSSH:Parallel), but I read somewhere on some forums that I cannot capture output with this module like I can capture using Net::OpenSSH ($ssh->caputre(ls)).
So, how can I accomplish parallel ssh in a more expedient manner? Also, I welcome any other suggestions I can use to save time. Would using Net:OpenSSH in threads save my time or will it work exactly like parallel?
You can fork your program and manage the forks with something like Parallel::ForkManager. Then do the SSH work + capture using Net::OpenSSH and display the results to the screen. You'll need to be careful with your IO though since all those processes trying to write to STDOUT/STDERR at the same time will get garbled results. You'll need to do something like the answer from this question (pipes between parent and child processes): fork() and STDOUT/STDERR to the console from child processes
Parallel programming is harder than serial, so be prepared for some fun :)
One way is to use a shell script to execute your perl script:
#!/bin/bash
for host in $(cat myhosts)
do
perl myperl.pl $host $1 $2 &
done
where myhosts is a file containing 500+ host names

Input Redirection for Password in Perl Script from Command Prompt

I am using a Windows System Command Prompt to call on a Perl Script. At one point and time, the Perl Script calls on svn+ssh to update a repo. The repository that is called asks the for user input - specifically a password.
I am trying to automate the execution of the Perl Script, but it continually gets hung up on the call to svn. I have tried many forms of input redirection (specifically < with an external file, | with cat, and the windows power shell use of the # symbol to specify a multi-lined string). Is there a way to input a password for this Perl script?
For purposes of this problem, I do not have access to the Perl Script and I will need to implement a work around.
You don't mention the svn+ssh implementation the script uses, but my guess is that the problem is this:
SSH clients tend to ask for passwords directly from the terminal. Password prompts often don't read from stdin, so you can't redirect input. For example, the OpenSSH client does it that way. It is designed that way to prevent users from doing insecure things - like storing passwords in files, environment variables or shell variables.
The common recommandation in this situation is to use public key authentication.
Without knowing your script, it will not be possible to come up with a workaround I think.

How do use perl to trigger another perl scipt running on another machine?

Need a way to have a perl script running on one machine run a perl script running on another.
The remote machine config is:
CentOS-5.5,
it's on the same network is the requesting machine,
has a DNS,
ports-open(SSH,HTTP)
Questions, feedback, comments -- just comment, thanks!!
Is this what you want?
system("ssh user#remotemachine perl <remote script's full path>");
will run the script on remote machine.
you may want to ssh without password, check: http://linuxproblem.org/art_9.html
As #Nylon Smile mentioned, you can use system to invoke the system's ssh client. If you want to do this without relying on external binaries (in particular because you want to handle password authentication differently), try Net::SSH::Perl, available from CPAN.
use Net::SSH::Perl;
my $ssh = Net::SSH::Perl->new('host');
$ssh->login('username', 'password');
my ($stdout, $stderr, $exit_code) = $ssh->cmd(
'perl some_script.pl --with=some_args',
'optionally, some stdin for that script'
);
Net::SSH::Perl can be a bit of a pain to install, but there are several other CPAN modules (most of which rely on an installed OpenSSH) and are a bit easier to deal with while providing a similar api. See also Net::SSH and Net::OpenSSH.
The above answers are fine for a one-off, but if you're doing this sort of thing a lot, you may want to look into some sort of messaging system like AMPQ (e.g. RabbitMQ) and set up queue listeners.

How to open ssh session and execute commands from a Perl script?

I have a Perl script running on a Windows machine. I need this script to open a ssh session to a remote Unix machine, and to be able to execute certain commands on that Unix machine and to be able to get the output returned from these commands.
These commands are generated during the run-time of the script, and there are many of them executed at different times.
How can I do it?
Approach 1: Use CYGWIN: http://perlwin32ssh.blogspot.com/2007/07/test_4418.html
Approach 2: Use Net::SSH::W32Perl module.
This is one thread discussing how to install it: http://code.activestate.com/lists/perl-win32-users/29180/ (It seems to require downloading custom version of the module)
This thread should help with the problems arising from dependencies on math libraries needed for ssh calculations: http://www.issociate.de/board/post/494356/I%27m_trying_to_install_%27Net::SSH::Perl%27_on_a_Windows_Box..html
Caveat emptor: I never installed this, the above is just result of some analysis of google results.
#!/usr/bin/perl
system("ssh foo 'ls -l'");
Or go through the hassle of using ptmx(4) on the local side and ssh -t for remote.