Find the answer to your Linux question:
Results 1 to 6 of 6
hello, when i call the "system()" function from my C program everything works well, but when i try to call it from a cgi C program it doesn't work. the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2011
    Posts
    14

    calling "system()" function from cgi C program


    hello,
    when i call the "system()" function from my C program everything works well, but when i try to call it from a cgi C program it doesn't work.
    the server log tells me this is a permission error.
    i have chmod'ed 755 the cgi program but it still does not work
    am i missing something?
    Last edited by rudie; 04-03-2011 at 09:36 AM.

  2. #2
    Linux Guru Cabhan's Avatar
    Join Date
    Jan 2005
    Location
    Seattle, WA, USA
    Posts
    3,252
    Does the CGI C program get executed at all, but just can't make the system() call? This implies that the program that you are trying to execute with system() is not executable. Remember that CGI programs usually run as a user with virtually no permissions, in order to protect the system from intrusion.

  3. #3
    Just Joined!
    Join Date
    Sep 2010
    Location
    Montgomery, AL
    Posts
    27
    I have had this exact problem. The issue is that normally, only the root user can execute most system calls (maybe all?).

    In my application, I had the CGI program send a request to another daemon, which did have root permissions, I had already written via a socket on a port it was listening on telling it to execute the command. I don't know if this is the best option for you, but you will have to do something like that. Also you could have a process reading a config file, to find out when to execute the command, then your cgi could just write the command to the file and let the other process run it.

    Also, I would not recomend what you will feel tempted to do upon reading this. Do not try and recompile apache to run as root unless you are VERY sure about the clients accessing your site and about your CGI script. Plus it is a pain in the backside to recompile and configure anyways.

    Hope this helps,

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Sep 2010
    Location
    Montgomery, AL
    Posts
    27
    Quote Originally Posted by JHenson View Post
    I have had this exact problem. The issue is that normally, only the root user can execute most system calls (maybe all?).

    In my application, I had the CGI program send a request to another daemon, which did have root permissions, I had already written via a socket on a port it was listening on telling it to execute the command. I don't know if this is the best option for you, but you will have to do something like that. Also you could have a process reading a config file, to find out when to execute the command, then your cgi could just write the command to the file and let the other process run it.

    Also, I would not recomend what you will feel tempted to do upon reading this. Do not try and recompile apache to run as root unless you are VERY sure about the clients accessing your site and about your CGI script. Plus it is a pain in the backside to recompile and configure anyways.

    Hope this helps,
    Hmm, actually there are several system calls that don't need root permissions such as ioctl calls that are merely reading from a device etc... However, there are several that do. My cgi script was rebooting the machine, so obviously that one needs root permissions. So, in correction to my previous answer, it just depends, but since obviously yours needs root permissions, you will have to do as I described above.

  6. #5
    Linux Guru Cabhan's Avatar
    Join Date
    Jan 2005
    Location
    Seattle, WA, USA
    Posts
    3,252
    Hold on. He's not talking about system calls, he's talking about using the system() function to execute other commands. Even if he was talking about system calls, running a webserver as root is a huge security hole, as is indiscriminately escalating user requests to be run as root through a daemon.

    Also, as you say, most system calls can be made by anyone. There are only a very very few that require root permissions.

    @rudie:

    What program are you trying to execute with system()? Try running:
    Code:
    ls -l /path/to/program
    to see what the permissions on the program alow the user of the web server to execute it. The user will probably fall into the "others" category.

  7. #6
    Just Joined!
    Join Date
    Sep 2010
    Location
    Montgomery, AL
    Posts
    27
    Quote Originally Posted by Cabhan View Post
    Hold on. He's not talking about system calls, he's talking about using the system() function to execute other commands. Even if he was talking about system calls, running a webserver as root is a huge security hole, as is indiscriminately escalating user requests to be run as root through a daemon.
    I was certainly not encouraging anyone to run a webserver as root. I thought I had made that clear; I was just saying it was an option--because technically it is.

    Anyways, there are plenty of times when a user needs to run a root command via a cgi. Cisco does it all the time on their routers when they reboot them. I am pointing out how to do it if you need to, and obviously, if the user is executing a script that needs root permissions, then he probably needs to. Or sometimes, the user can just take ownership of the script, however, the user already tried that.

    And yes system() can run anything, but I just figured if he was doing so that he was calling functions using system calls like ifconfig or something, especially since he/she was having permission issues or somthing.

    So I guess back to the main question, what are you trying to execute with the system() function?

    edit--Also, I agree that the daemon should not execute anything indiscriminately. So, for instance, instead of storing the command to be executed in the file or sending it over a socket, it is a much better idea to use an agreed upon syntax understood only between the daemon and the cgi script. So for instance, you could store something in a file like:

    NetworkSettings
    ipv4=192.168.1.1
    subnet=255.255.248.0
    changed=1

    A daemon could then be written and installed to parse this file and execute whatever command you want such as

    1. parse data from file
    2. if file has been changed
    2.1 run this command: ifconfig eth0 192.168.1.1 netmask 255.255.248.0 up
    2.2 set changed flag back to 0

    I am NOT suggesting that you store the actual command in the file as this could be very dangerous. You should write a secret and agreed upon protocol.
    Last edited by JHenson; 04-07-2011 at 05:16 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •