Shell scripts from WebUI - is it possible, advice, ideas

[kstamand]

Is it possible to issue cli command from the router WebUI and return the results?

If yes, is there a script available where this is done already?​

If not, any advice and pointers of where I might start to learn how to do this (I've been looking at existing scripts like YazFi, scMerlin, and others for ideas but no luck finding one yet)?​

Background - I often ssh to the router to issue some quick status commands (brctl show, ethctl phy-map, iptables -vnl CHAIN). I'm familiar with Asuswrt user scripts and third party add-on API (I have a working model for adding a new user tab but I'm stuck there on how to proceed with .asp / .js code, hence my question). I've also successfully modified Main_LogStatus_Content.asp previously to allow for filtering returned syslog records >> https://www.snbforums.com/threads/c...abilities-working-prototype.87357/post-936846

Goal - from the Router WebUI, have a new Userx tab that allows for entering a CLI command with an "execute" button, which is then executed in background and then results returned to WebUI.

Edit: @jacklul - I was concerned that it may be a security concern, so thanks for that feedback and I definitely want to avoid those kind of issues.
@thelonelycoder - I look forward to your thoughtful feedback. FWIW, I only have a handful of commands I’m interested in. So I’m rethinking of a fixed list of command “names” that could be selected from the WebUI that I could then call a corresponding sh script might avoid the security concerns JackLul pointed out.
Thank you both for the feedback.

 

[jacklul]

Sounds like terrible idea security-wise
It would be acceptable if these commands were hardcoded so the user can't just enter ANY command

 

[thelonelycoder]

Is it possible to issue cli command from the router WebUI and return the results?

If yes, is there a script available where this is done already?​

If not, any advice and pointers of where I might start to learn how to do this (I've been looking at existing scripts like YazFi, scMerlin, and others for ideas but no luck finding one yet)?​

Background - I often ssh to the router to issue some quick status commands (brctl show, ethctl phy-map, iptables -vnl CHAIN). I'm familiar with Asuswrt user scripts and third party add-on API (I have a working model for adding a new user tab but I'm stuck there on how to proceed with .asp / .js code, hence my question). I've also successfully modified Main_LogStatus_Content.asp previously to allow for filtering returned syslog records >> https://www.snbforums.com/threads/c...abilities-working-prototype.87357/post-936846

Goal - from the Router WebUI, have a new Userx tab that allows for entering a CLI command with an "execute" button, which is then executed in background and then results returned to WebUI.

There is a way, but it‘s not safe in my opinion.
However, I like your idea. A limited SSH tab is doable as it is more or less how we interact between the WebUI and our shell scripts.
Let me ponder this this Weekend.

 

[dave14305]

This was a feature removed from the router 11 years ago.

  - REMOVED: Removed the Run Cmd page as it was a security
             risk.  This is also needed to keep in line with
             recent security fixes Asus applied to the
             httpd backend to limit what external processes
             it can run, otherwise any malicious page could
             run arbitrary commands on your router if you
             were currently logged on a separate tab.

webui: Removed Run Cmd page as it is a security risk. This is to kee… · RMerl/asuswrt-merlin@9dac957

…p in line with Asus recently applying stricter control as to which command can be run by the httpd daemon through webui requests.

github.com

 

[thelonelycoder]

Sounds like terrible idea security-wise
It would be acceptable if these commands were hardcoded so the user can't just enter ANY command

Like in a SSH terminal? All third party scripts require this interaction. I see no problem giving users the choice.

 

[bbunge]

Something like Webmin that opens a terminal in its GUI? Am sure that Webmin would not do it if it wasn't secure...

 

[RMerlin]

However, I like your idea. A limited SSH tab is doable as it is more or less how we interact between the WebUI and our shell scripts.

There used to be one, and it was removed many years ago due to many obvious security issues with that.

commit c989700896de539d76a674930105c07902539501
Author: Eric Sauvageau <rmerl@lostrealm.ca>
Date:   Thu May 7 17:50:33 2015 -0400

    webui: completely remove the run command page to ensure no xsite scripting could exploit it

 

[kstamand]

@jacklul, @dave14305, @thelonelycoder, @RMerlin would the following alternate approach still pose security concerns

- Custom user tab that has a hardcoded list of Names (prototype screen shot below)
- When clicking on one of the names, it somehow (I still don't know how to do that) runs a corresponding predefined script stored under /jffs someplace and the script doesn't accept any parameters
- The script runs and writes it's results to a file
- The custom user tab .asp reads the contents of the results file and displays it in a text box

If the above approach avoids the security concerns, can anyone point me to an example or reference on how to run a predefined script from .asp and wait until that shell script completes? I think I have the rest of the .asp code worked out, minus that one part.

 

[dave14305]

can anyone point me to an example or reference on how to run a predefined script from .asp and wait until that shell script completes?

Addons API

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

You would pass the script name to be run from the ASP custom_settings variable and have a service-event script listen for that trigger and invoke your script. It’s the crux of the add-on API. Get the basics working then we can see how to make it look more responsive fetching the results via ajax calls.

 

[thelonelycoder]

I had a better and save way in mind to approach this.
Thanks for freeing up time this weekend

 

[kstamand]

I had a better and save way in mind to approach this.
Thanks for freeing up time this weekend

Care to share the better and safe way, at least in outline form? I'm not in any hurry, just hungry to learn

 

[RMerlin]

Just use SSH. It's secure. it's sane, and it works just fine.

The web daemon security has been one of the primary source of router exploitation over the years. Don't make it worse than it already is.

 

[kstamand]

Just use SSH. It's secure. it's sane, and it works just fine.

The web daemon security has been one of the primary source of router exploitation over the years. Don't make it worse than it already is.

Got it - thanks for the feedback

 

[dave14305]

Got it - thanks for the feedback

Consider using something like iOS Shortcuts to SSH into the router, run a command and popup the output. Example:

iOS Shortcut for Diversion

This is a shortcut for the iOS Shortcuts app July 01 2022: Version 1.4 released. See the iOS Shortcut page on diversion.ch for instructions.

www.snbforums.com

 

[rung]

Consider using something like iOS Shortcuts to SSH into the router, run a command and popup the output. Example:

iOS Shortcut for Diversion

This is a shortcut for the iOS Shortcuts app July 01 2022: Version 1.4 released. See the iOS Shortcut page on diversion.ch for instructions.

www.snbforums.com

I do something similar with Android. Termux has a widget that lists the scripts I want to run. If I want to see the results, I put a read command at the end.

 

[kstamand]

Consider using something like iOS Shortcuts to SSH into the router, run a command and popup the output. Example:

iOS Shortcut for Diversion

This is a shortcut for the iOS Shortcuts app July 01 2022: Version 1.4 released. See the iOS Shortcut page on diversion.ch for instructions.

www.snbforums.com

 

[kstamand]

I am familiar with and have used iOS Shortcut for Diversion, very nice. My goal was to have a similar ability from the WebUI, so I can do everything in one place and not have to jump to different interfaces (SSH) or devices (iOS/Android).

All good feedback tho and much appreciated

 

[kstamand]

Addons API

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

You would pass the script name to be run from the ASP custom_settings variable and have a service-event script listen for that trigger and invoke your script. It’s the crux of the add-on API. Get the basics working then we can see how to make it look more responsive fetching the results via ajax calls.

I have the "bones" of this approach working, updating custom_settings.txt from the asp page, a services script firing when service-event is triggered and a script running which writes results to a file. Not sure how to go about reading those results back into the webpage textarea when the script completes / coordinated with the asp that triggered it tho.

 

[dave14305]

Not sure how to go about reading those results back into the webpage textarea when the script completes / coordinated with the asp that triggered it tho.

Write the file under /www/ext/ and read it via ajax as text. See some examples in uiScribe.

uiScribe/Main_LogStatus_Content.js at master · jackyaz/uiScribe

uiScribe updates the System Log page to show log files created by Scribe (syslog-ng). Requires Scribe https://github.com/cynicastic/scribe - jackyaz/uiScribe

github.com

 

[kstamand]

Write the file under /www/ext/ and read it via ajax as text. See some examples in uiScribe.

https://github.com/jackyaz/uiScribe/blob/mastetxr/Main_LogStatus_Content.js#L140

What am I missing / doing working (code snippet below)? I keep getting 404 Not found with my ajax call for the URL reference.

I've tried '/ext/results.txt', '/www/ext/results.txt', and 'results.txt' in the url with no luck. I'm assuming the path I am using is what's wrong, but I'm not sure how to debug nor what the correct format is. I have confirmed the file resides at /www/ext/results.txt

Thanks for any assistance.

function get_results_data(){
 24     var h = 0;
 25     $.ajax({
 26         url: '/www/ext/results.txt',
 27         timeout: 2000,
 28         dataType: 'text',
 29         error: function(xhr){
 30             alert('ajax read results.txt status: ' + xhr.status + ' Status Text: ' + xhr.statusText);
 31         },
 32         success: function(response){
 33             var resultString = htmlEnDeCode.htmlEncode(response.toString());
 34             var _string = String.split('\n');
 35             h = $("#textarea").scrollTop();
 36             document.getElementById("textarea").innerHTML = _string;
 37             $("#textarea").animate({ scrollTop: 9999999 }, "slow");
 38         }
 39     }
 40 )}