web interface to shell commands

[ksmatthews]

Hi THere,

 

They say that from a security standpoint, we should not implement root-level commands in a web interface ....

 

I was involved in the creation of a web based front end for a third party telephony system (*Asterisk) running on linux.

 

Here are some code snippets ...

 

if(strstr($ID, 'dhcp'))

{

if($ID == 'dhcp_1') // DHCP

$command = '/usr/bin/sudo /usr/sbin/rcdhcpd start'; // /etc/init.d/dhcpd GENERIC

else if($ID == 'dhcp_2')

$command = '/usr/bin/sudo /usr/sbin/rcdhcpd stop';

else

$command = '/usr/bin/sudo /usr/sbin/rcdhcpd restart';

 

// run command

exec($command);

 

// run status check

exec('/usr/bin/sudo /usr/sbin/rcdhcpd status', $output, $return_var);

}

 

 

// another snippet

$command = 'rm -rf ' . $temp_folder;

exec($command);

 

// write to socket (authentication)

if($socket)

{

fputs($socket, "Action: Login\r\n");

fputs($socket, "UserName: " . ASTERISK_UNAME . "\r\n");

fputs($socket, "Secret: " . ASTERISK_SECRET . "\r\n");

fputs($socket, "Events: off\r\n\r\n");

 

// loop through output from Asterisk

$authentication_flag = false;

while ($buf = fread($socket, 512))

{

if(feof($socket))

break;

 

if(strstr($buf, "Response: Success"))

{

$authentication_flag = true;

break;

}

 

if(strstr($buf, "END COMMAND"))

break;

}

 

if($authentication_flag == false)

{

echo 'No Asterisk !';

die();

}

}

 

Is this code  poor practice ?

 

If so, then I would be curious to know how web hosting companies provide web front ends to their linux based web hosts.

Surely they too must be running root commands using sudo ....

 

Any ideas ?

 

regards,

 

Steven Matthews 

[trq]

As long as you lock down the Apache users entries within the /etc/sudoers file and limit them to only the commands / arguments you require, I don't see an issue.