How to safely execute a command on another server?

D

Denis Shpuganich2017-10-05 17:11:48

PHP

Denis Shpuganich, 2017-10-05 17:11:48

There is a task to execute one command on the server, but with different parameters that are formed on another server.
There are suspicions that exec($_GET['command']); bad idea))
The second thought is to break the command parameters into components and transfer them separately, then escape, assemble into a command, and then execute.
At the same time, the possibility of hacking or open source of the former is allowed.
The task is to prevent an attacker, knowing the source code of the receiving script, from executing anything on the receiving server other than the initially executed command.
There are two questions:
1) If we break it into separate parameters, then what needs to be escaped in the incoming data so that the injection does not work (we end the command, for example | with this character and write anything in continuation)
2) Maybe there is an alternative way to safely execute commands from one server to another? (Certificates, keys or other magic)

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

My joy, 2017-10-05
@dyonis

I would use a chip with a check-sum of the line, as with payments. open code of the command (can be sewn in base64) and a separate hash variable. and on the receiving side, look at the correct hash or not.

Z

zorca, 2017-10-05
@zorca

You can form a command on the first server and run it entirely via ssh, logging in with a key.

A

Andrey, 2017-10-05
@VELIK505

Servers are connected in one locale?
If yes, then via ssh.
For example, my cron task hangs from one server to another:
@reboot ssh 192.168.1.1 'mysqladmin flush-hosts -pkWz46ezyRc' >/dev/null 2>&1
where 192.168.1.1 is the local IP of another server where to execute the command mysqladmin flush- hosts
Yes, even if they are not connected, then in the same way with a password, and so on. And on that server, open access from the IP of another server for ssh