[SOLVED] How to run a script on host machine from a webpage

MetaMan · 07-26-2011, 05:08 PM

I was wondering if it was possible to run a script (something.sh) on a server when a button on a webpage is pressed. I'm going to have to guess that php is involved...

I already have Apache set up and I will set up php if I have to.

Thanks!

TB0ne · 07-26-2011, 05:13 PM

Quote:

Originally Posted by MetaMan

I was wondering if it was possible to run a script (something.sh) on a server when a button on a webpage is pressed. I'm going to have to guess that php is involved...

I already have Apache set up and I will set up php if I have to.
Thanks!

It is possible, yes. You can either do it with PHP (read up on the exec function), or put it in your cgi-bin directory and run it from there. Going the PHP route would be safer, though, but be warned...what you're suggesting is *NOT* a safe practice. Such scripts are then prime targets for anyone who wants to compromise your system.

MetaMan · 07-26-2011, 09:10 PM

Quote:

Originally Posted by TB0ne

It is possible, yes. You can either do it with PHP (read up on the exec function), or put it in your cgi-bin directory and run it from there. Going the PHP route would be safer, though, but be warned...what you're suggesting is *NOT* a safe practice. Such scripts are then prime targets for anyone who wants to compromise your system.

All I wanted to be able to do was stop a daemon (One command!). I know I could do this with, say, ssh, but I wanted to be able to do is access it from an Android phone. Plus, I don't plan on opening the server to the outside world. Plus plus, I would set up something in the .htaccess file (Or something like that) to password protect the page.

Is it still dangerous?

roastinghosting · 07-27-2011, 03:12 AM

This is possible as the above posters say by using the PHP system() call. However the problem you will likely run into is that the PHP scripts are executed as the same user that apache runs as (normally www-data). This is will mean that running for example '/etc/init.d/sshd stop' will not work as you require root privileges.

It is however possible to allow the www-data user to run only /etc/init.d/sshd as root. This can be accomplished via sudo.

There's a short tutorial/cheetsheet I wrote years ago on it here: http://www.iclebyte.com/index.php?article=26

TB0ne · 07-27-2011, 08:50 AM

Quote:

Originally Posted by MetaMan

All I wanted to be able to do was stop a daemon (One command!). I know I could do this with, say, ssh, but I wanted to be able to do is access it from an Android phone. Plus, I don't plan on opening the server to the outside world. Plus plus, I would set up something in the .htaccess file (Or something like that) to password protect the page.

Is it still dangerous?

Again, yes. ANYTIME you execute a script from a web page, you open a potential avenue into your system. roastinghosting summed it up well. It doesn't matter if it's one command, twelve commands, or 64 different scripts called one at a time...the potential risk is there.

Again, yes, you CAN do it. You could write it in Perl, and shove it into your cgi-bin directory, and have the program itself prompt you for a password that's unique, before the process is killed/restarted. That way, you can save a link to the perl script itself (easier to run), and still have it protected (only YOU will know the password to it). Still a BIT unsafe, but possible. Personally, since it's an internal application (assuming you're on a VPN or something similar), I'd invest the $1.99 on an SSH client for your phone, and do a keyswap between it and your server. If this process dies/needs to be restarted on a regular basis, I'd probably set up a user just for that, and put something in the .bashrc that would kill/restart it on login.

MetaMan · 07-27-2011, 12:39 PM

Thanks everyone! I'll try some of your suggestions. Still a bit a research to do, though...