Heal Your Church WebSite


Teaching, rebuking, correcting & training in righteous web design.

Shoot Self and System in foot with a CGI-Shell

In the past, I’ve shown those of you on Linux/Apachesystems how to do some nifty stuff from the command line. For example, how to globally search and replace replace text using the commands FIND ∧ XARG. Or how to install MovableType using mostly the TAR and MV commands. All useful stuff I feel one should be allowed to do from any web host.

But as we know, not all web hosts are created equal, and some of you have situations where your web host provider does not allow either telnet or secure shell access (see link for tutorial on these). They do this for security reasons, not understanding the gaping security holes that can be opened when we have to unzip a program, FTP it to our site, then change the permissions to entire directories or sets of files to Read, Write and Execute. This in contrast to using TAR on the target machine, which while uncompressing the application, also sets permissions the way the developer intended it … or at least developed it.

Yeah, that last paragraph was a bit geeky. The point is, there are some applications out there which will allow you to circumvent this situation by allowing you to execute line commands from your browser. PLEASE NOTE – THIS IS A VERY DANGEROUS PRACTICE. If you do not understand what you are doing at the command line, or if you do not FULLY understand the security implications, steer clear away from following applications (listed in no particular order):

If you are going to take the HUGE SECURITY RISK of installing and using any of the above applications, then at least run them from a password protected sub directory within your cgi-bin directory. If you don’t know how to do that without me telling you how, then you probably want to avoid the above. Even if you do, remember, you were warned, so don’t come complaining to me when you shoot yourself in the foot.

So why bother with all the risk? I think the FAQ from CGI-Shell answers the question rather nicely.

Can I do “bad things” with CGI-Shell?
You can do “bad things” with almost everything – but that’s not why I wrote CGI-Shell. Rather, it intends to help webpage-owners to maintain there page comfortably. If CGI-Shell also makes webhosters pay a little more attention to their server’s rights-management – or even better – gives you SSH-access, I’m happy, too.

Which one do I use? None of them. My host provider allows “limited” or “jailed” access. I can’t format the system, but I can test PHP modules from the command line. But before I do, I also backup my database from the comand line, or at least PICO or VI a bash script that will do it for me on a nightly basis.

One Comment

  1. I have to say, SSH was the best thing they ever came out with. You can’t beat its security nor its reliabilty.