CGI Script Wont Create Directories

Question

I have a perl CGI script that I am accessing from a URL. I've checked the syntax using perl -wc, and it seems to be ok. However none of the commands to create directories are executing correctly. The permission is set to 755.

Does anyone know how to go about diagnosing this issue?

This is the code:

#!/usr/bin/perl

use CGI;
#-- create CGI Query
$q = CGI->new;
$prefix = "X__";

print "Content-type: text/html\n\n";

#-- get companyID
$entityID = $q->param('entityID');

#-- get directory name
$dir = "${prefix}${entityID}";

#-- change directory
chdir("/var/www/html/web/customers");

#-- create parent company directory
`sudo mkdir -m 755 $dir`;
print "${entityID}";

score 5 · Accepted Answer · edited Apr 13 '17 at 12:36

You've got a number of worst-practices in this code. It pains me to look at parts of it. There is unsanitized data being sent to system calls. There is intentional privilege escalation. These hurt to see and they will cause you problems, now and later.

The things to look at when you are tracking down a problem with Apache for a script that looks like this are:

Return value of system calls within the script.
```
`foo`;
```
That returns a value into ${^CHILD_ERROR_NATIVE} for perl 5.10 and beyond. What is this value? That tells you what foo actually returned and if it was successful. (perldoc)
Apache error log. Somewhere, there is an error log that apache is writing to. It may be in differing places that in part depends on the configuration. There is the apache virtual server error log and the apache server error logs - both of which may need to be looked at.
For some reason, sudo is being used here (it is not a good thing). sudo has its own log that should be investigated. (Where are sudo incidents logged?) There are a lot of places where sudo can log (documentation), you may need to investigate that on your own system.

Though, I again, I beseech people who write code like this to not write code like this in the first place. There are security holes that are wide enough to drive a truck through in this code. Yes, it may be a one off script that you're quickly tossing out for a client or marketing or someone who doesn't know better (you should) to run on an intranet... but some day... that code will be run on the internet and all hell will break lose when someone passes in entityId=/../../../../../../im_in_ur_root/creating_directories into your parameters and you start finding directories being created in strange places.

Don't use sudo within back ticks, or open, or system. It is a problem waiting to happen.
Do use the function calls provided by perl to create directories.
Do set up the permissions on the directories properly so that the web server can write to the ones it should be able to without needing privilege escalation.

Turns out my perl version is pretty old: Perl version : 5.016003 — Stephan Walters, Sep 24 '14 at 21:04
Perl's return values are multiplied by 256. Sudo returning 1 ([man page](http://www.sudo.ws/sudo.man.html)) means "Otherwise, sudo exits with a value of 1 if there is a configuration/permission problem or if sudo cannot execute the given command." — , Sep 24 '14 at 21:08
I've added this into my sudoers file.. Defaults:apache !requiretty Cmnd_Alias APACHE = /bin/mkdir, /bin/rmdir, /bin/cp, /bin/mv, /bin/touch, /bin/chown apache ALL=(ALL) NOPASSWD: APACHE Based on another forum but its weird its still not working..and even restarted apache.. Yes I realize this isn't the best way to go about this.. However, I don't have the permission to run mkdir from my .pl script — Stephan Walters, Sep 24 '14 at 21:15
You are able to run sudo, but you are unable to set up the permissions of `/var/www/html/web/customers` so that apache can create a directory there? — , Sep 24 '14 at 21:16
I've ran chown and chirp on the customers folder to let apache be the user and group but it still seems to have 0 effect. — Stephan Walters, Sep 24 '14 at 21:25

CGI Script Wont Create Directories

1 Answers1