[Gllug] Perl of the Sea - Gee I . . .
Lobster
edjason at britishlibrary.net
Thu Apr 24 06:02:01 UTC 2003
At 15:06 23/04/2003 +0100, you wrote:
>You can do this using CGI rather than HTML directly, but it is very
>dangerous. If you want to do something simple like run the 'ls' command,
>give them the option of running it, but don't let them supply parameters.
>If you do, then they could put something like this as the parameter " -l;
>rm -rf /*" and it would list the contents of the directory and then erase
>everything from the computer that the user the code is running as has access
>too. The code usually runs as the web server user which is usually set to
>"nobody" so it's not totally dangerous if you are setup correctly, but it
>sure isn't safe.
Got it!
Gee I was thinking of only running it on my machine . . .
and maybe making it available as a tar ball (zip thingee).
It just seems that the power of linux is in the shell
but the way the commands are available documented
etc is not much fun . . .
(thanks to Jim in next post for RUSE Linux guide advice)
Still trying to get my head around this . . .
it would seem bash calls about 3000 commands
so what I was thinking of different ways of presenting
these commands but working on actual (benign) examples
So if it was running on a server
the 'danger' would be to the users machine
and not the server OR the server would not
be compromised if it was set up correctly . . .
It would give me a good way
of working through the commands
- maybe someone has done it?
Do these things such as midnight commander
or similar utilise these commands much like xtree
under MS DOS
- what is to be recommended?
Many thanks for everyones comments :-)
Lobster
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list