Search code examples
perlunixcgicgi-bin

CGI Script Wont Create Directories

I have a perl CGI script that I am accessing from a URL. I've checked the syntax using perl -wc, and it seems to be ok. However none of the commands to create directories are executing correctly. The permission is set to 755.

Does anyone know how to go about diagnosing this issue?

This is the code:

#!/usr/bin/perl

use CGI;
#-- create CGI Query
$q = CGI->new;
$prefix = "X__";

print "Content-type: text/html\n\n";

#-- get companyID
$entityID = $q->param('entityID');

#-- get directory name
$dir = "${prefix}${entityID}";

#-- change directory
chdir("/var/www/html/web/customers");

#-- create parent company directory
`sudo mkdir -m 755 $dir`;
print "${entityID}";
Solution

  • You've got a number of worst-practices in this code. It pains me to look at parts of it. There is unsanitized data being sent to system calls. There is intentional privilege escalation. These hurt to see and they will cause you problems, now and later.

    The things to look at when you are tracking down a problem with Apache for a script that looks like this are:

    • Return value of system calls within the script.

      `foo`;

      That returns a value into ${^CHILD_ERROR_NATIVE} for perl 5.10 and beyond. What is this value? That tells you what foo actually returned and if it was successful. (perldoc)

    • Apache error log. Somewhere, there is an error log that apache is writing to. It may be in differing places that in part depends on the configuration. There is the apache virtual server error log and the apache server error logs - both of which may need to be looked at.

    • For some reason, sudo is being used here (it is not a good thing). sudo has its own log that should be investigated. (Where are sudo incidents logged?) There are a lot of places where sudo can log (documentation), you may need to investigate that on your own system.

    Though, I again, I beseech people who write code like this to not write code like this in the first place. There are security holes that are wide enough to drive a truck through in this code. Yes, it may be a one off script that you're quickly tossing out for a client or marketing or someone who doesn't know better (you should) to run on an intranet... but some day... that code will be run on the internet and all hell will break lose when someone passes in entityId=/../../../../../../im_in_ur_root/creating_directories into your parameters and you start finding directories being created in strange places.

    • Don't use sudo within back ticks, or open, or system. It is a problem waiting to happen.
    • Do use the function calls provided by perl to create directories.
    • Do set up the permissions on the directories properly so that the web server can write to the ones it should be able to without needing privilege escalation.