Em 25-09-2016 17:12, Kihaguru Gathura escreveu:
Hi All,
I have a small problem here. I am unable to display uptime online.
Yes, you have a conceptual problem. You're doing a CGI that executes a
binary. If, by any reason, /usr/bin/uptime is replaced with a malicious
program, you're in trouble.
I don't even know the details of chroot OpenBSD, but an educated guess
is that in such environment you can't have access to some resources
uptime needs, that's why you can do it with root.
Since you're already dealing with C code, I recommended checking the
uptime source code and see what it does. Anyway, system() under CGI
environment will create a second (short lived) process that you can
avoid if you reproduce what uptime code does in your CGI.
Also, I'm not a C programmer, but I guess somewhere there is a library
you can include in your CGI instead doing system().
Last, but not least... not sure why C is your language of choice for CGI.
