Shell commands visual simulation?

[ommy]

Hello everyone,
Here I am with another question. Well, i wanted to simulate a shell command execution visually, may be on a web page using some scripting language (PHP, or PERL). For example, if someone wants to execute a "ls -al" command, he/she presses a button on a web page, and then this command is triggered on the shell. But the user has only got the browser interface, in the form of a web page. Now we have to through back all the result (which we get after the command execution) to another web page. I wanted to know that :-

1) What scripting language would facilitate me the most for doing such thing?
2) Do I have to use sockets on scripting language level for tunneling the command from browser to shell and then getting back the result to a web page?

I have seen such thing in webmin, which is a browser based application, that operates on port 100 for configuration of a Linux box, from Samba to NFS. I hope I am conveying my point well. However, any kind of comments or enquiries are welcomed. Any help in this regard would be appreciable. Please guide me to any links, if you come across one. Though I am googling the issue as well.
Thank you
Ommy

[prtsoft]

yeah it's possible. You could do it with PHP using the system command:

PHP system command

But I wouldn't recommend it. It's opening yourself to an onslaught of attacks if users can "ls" the CurDir. If I was breaking into a site, that would appear to be a "Here! Start hacking here!"

Now if you hard coded the command into your php script, it wouldn't be so bad, but if you let the resulting HTML page pass the command to you script, you could get screwed. What would stop some hacker from changing the command passed to something like "rm * -f" or "cd /etc;cat passwd"?

[MoonWolf]

I have been thinking about making such a aplication too. Never did it but I came to this conclusion.

Either make it a login page and make very sure your login is secure. Or make all of it button and selectable options. Make ABSOLUTLY sure that all the assembling of the command line code is done in the PHP code itself.

Also (my information on linux shell commands is lacking here) things like making a search command and allowing a user to input a search string of his own should be very well checked for it may pose an opertunity to sneak in more commands.

Have fun making this.

[spazzmatrix]

I've seen the same type of thing in smoothwall, and other web-based firewalls. Look for a ssh/telnet scripts written in perl/php/java.

Heres a few links to help.

security:
http://www.hosting-netexplorers.co.u...ell_access.php


Java based shell script:
http://www.appgate.com/products/80_MindTerm/

[gothic_type]

Aye, you wouldn't want to allow user input at all. e.g. if you decided to allow the user to give arguments to ls and they typed in "; rm -rf /" or something. Although you wouldn't expect your script to be running as root or anything, it's still risky.

ac

[delstar]

Originally posted here by prtsoft
yeah it's possible. You could do it with PHP using the system command:

PHP system command

But I wouldn't recommend it. It's opening yourself to an onslaught of attacks if users can "ls" the CurDir. If I was breaking into a site, that would appear to be a "Here! Start hacking here!"

Now if you hard coded the command into your php script, it wouldn't be so bad, but if you let the resulting HTML page pass the command to you script, you could get screwed. What would stop some hacker from changing the command passed to something like "rm * -f" or "cd /etc;cat passwd"?

This could be prevented by using a (secure) login script on the webpage before the user actually gets to the interface for using commands. I would think it rather obvious. Make sure the script doesn't allow logins from root or administrative accounts. Better yet, most OS's have the option to never allow login as root or admin or whatever from anywhere but the localhost. I suggest, before you even think about opening an interactive port, that you find out how to do that.

If you can make it secure, I'd say it's a pretty good idea.

[i2c]

couldnt you just setup a choot jail to prevent the problems gothic_type discribed? cos a secure login script isnt ideal it can always be bypassed, probably much like a root jail but it be better if the commands werent there in the first place surely?

i2c

[spazzmatrix]

Its no different doing it with a web-interface than if he was to just give them ssh access to his server. Permissions can be set, and chances are if someone does get in and do something stupid, it takes what? like half an hour to re-install and set everything back up.

This happens too much on this board. People post asking for help on a topic and everyone trys pulling out every possible flaw. Everything single thing about computer is un-safe in some way. Its just like smoking. We know it kills but most of us still do it.

I would say the idea is a good one, I have been working on the same thing for my site.
This is how I do it so far.

First people must login to a secure part of the site which was setup in my httpd.conf file (I use a secure folder to place my scripts in so theres a bit more security).

After that Users must login to the system from the java script. Once in they have limitted permissions. They can ftp, use lynx, and setup a webpage, plus some of the basic commands are available to them.

The only down side I see, (without getting into security) is the extra load required for the web server to run. By apache can be cut down to run faster if only being used for this script.

You can even set it so they can only do certain things. (Example: one user only has access to edit his/her web files. So i set the shell to mc instead of /bin/bash /bin/mc or wherever it is on your linux distro) when the person logs in they are automatically thrown right into midnight commander. They can not edit/delete/move any files they do not have permisions to.

I also have it set to root can not login anywhere but from 127.0.0.1(localhost)