Php to configure network in linux as webmin

amigota · 03-19-2009, 04:02 AM

Hi guys

Now I have a case study working on php to create a web-based for configure the SLES10 network interface such as ip, netmask, gateway, dns and etc..

I know that Webmin is written in perl, but i want to write in php.
I tried to write some shell run with exec in php page, but they was something wrong "permission denied" or something similar.

PHP Code:



exec("/etc/init.d/network restart");

The result in error_log of Apache:

Code:

/sbin/ifdown: line 234: /dev/shm/sysconfig/config-eth0: Permission denied
rm: cannot remove `/dev/shm/sysconfig/if-eth0': Permission denied
rm: cannot remove `/dev/shm/sysconfig/if-lo': Permission denied
rm: cannot remove `/dev/shm/sysconfig/network': Permission denied
rm: cannot remove `/dev/shm/sysconfig/if-eth0': Permission denied
rm: cannot remove `/dev/shm/sysconfig/if-lo': Permission denied
rm: cannot remove `/dev/shm/sysconfig/ifup-eth0': Permission denied
rm: cannot remove `/dev/shm/sysconfig/ifup-lo': Permission denied
rm: cannot remove `/dev/shm/sysconfig/tmp/test': Permission denied
/etc/init.d/network: line 385: /dev/shm/sysconfig/network: Permission denied
/sbin/ifup: line 234: /dev/shm/sysconfig/config-lo: Permission denied
Error while executing:
   Command 'ip route replace to 127/8 dev lo' returned:
  RTNETLINK answers: Operation not permitted
   Configuration line: 127/8 - - lo  
[1A..failed/sbin/ifup: line 234: /dev/shm/sysconfig/config-eth0: Permission denied
[1A..failed/sbin/ifstatus: line 234: /dev/shm/sysconfig/config-eth0: Permission denied
touch: cannot touch `/dev/shm/sysconfig/ready-lo': Permission denied
touch: cannot touch `/dev/shm/sysconfig/ready-eth0': Permission denied

Also I tried to grant wwwrun user of Apache to root group, but there is no use.

What shout i do to solve this?
Thanks in advance.

bathory · 03-19-2009, 06:23 AM

You can use sudo to make the apache user (wwwrun in your case) able to run these commands
Of course you understand the security implications of this.

amigota · 03-19-2009, 11:34 PM

yes, i have tried several ways:

PHP Code:



exec("sudo -u root -p rootpassword /etc/init.d/network restart");

error_log was shown: "root" and there was nothing happened.

Could you should me how to deal with this?

bathory · 03-20-2009, 02:58 AM

You need to configure sudo to allow the apache user to run certain commands. Edit /etc/sudoers (run visudo to do this) and add something like:

Code:

Cmnd_Alias WEBMIN = /etc/init.d/network restart
User_Alias APACHE = wwwrun
APACHE ALL = (ALL) NOPASSWD: WEBMIN

amigota · 03-22-2009, 07:57 AM

I followed your instruction, but there was the same error as i shown you. Em.. I forgot to tell u the result of that command to the web interface as below:

Code:

  Shutting down network interfaces: 
     eth0      device: Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] (rev 10) 
     eth0      configuration: eth-id-00:0c:29:19:fa:65 
 [1A..doneShutting down service network  .  .  .  .  .  .  .  .  .  .  .  .  .  .  ...done 
 Setting up network interfaces: 
     lo 
     lo        IP address: 127.0.0.1/8 
 Checking for network time protocol daemon (NTPD): ..unused 
     eth0      device: Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] (rev 10) 
     eth0      configuration: eth-id-00:0c:29:19:fa:65 
     eth0      IP address: 192.168.169.3/24 
 Checking for network time protocol daemon (NTPD): ..unused 
     eth0      device: Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] (rev 10) 
     eth0      configuration: eth-id-00:0c:29:19:fa:65 
     eth0      IP address: 192.168.169.3/24 
 [1A..doneSetting up service network  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  ...done

Remember that I'm using SLES10.2 and I install sudo-1.7.0 on my Suse box. Do I have something wrong with the installation of sudo-1.7.0? What should I do next? Please?

bathory · 03-22-2009, 04:46 PM

Quote:

I followed your instruction, but there was the same error as i shown you.

What error?
What happens if you su to wwwrun and run the command from the command line?

amigota · 03-23-2009, 11:08 PM

In the error_log file of Apache:

Code:

/sbin/ifdown: line 234: /dev/shm/sysconfig/config-eth0: Permission denied
rm: cannot remove `/dev/shm/sysconfig/if-eth0': Permission denied
rm: cannot remove `/dev/shm/sysconfig/if-lo': Permission denied
rm: cannot remove `/dev/shm/sysconfig/network': Permission denied
rm: cannot remove `/dev/shm/sysconfig/if-eth0': Permission denied
rm: cannot remove `/dev/shm/sysconfig/if-lo': Permission denied
rm: cannot remove `/dev/shm/sysconfig/ifup-eth0': Permission denied
rm: cannot remove `/dev/shm/sysconfig/ifup-lo': Permission denied
rm: cannot remove `/dev/shm/sysconfig/tmp/test': Permission denied
/etc/init.d/network: line 385: /dev/shm/sysconfig/network: Permission denied
/sbin/ifup: line 234: /dev/shm/sysconfig/config-lo: Permission denied
Error while executing:
   Command 'ip route replace to 127/8 dev lo' returned:
  RTNETLINK answers: Operation not permitted
   Configuration line: 127/8 - - lo  
[1A..failed/sbin/ifup: line 234: /dev/shm/sysconfig/config-eth0: Permission denied
[1A..failed/sbin/ifstatus: line 234: /dev/shm/sysconfig/config-eth0: Permission denied
touch: cannot touch `/dev/shm/sysconfig/ready-lo': Permission denied
touch: cannot touch `/dev/shm/sysconfig/ready-eth0': Permission denied

I used command "su wwwrun", but there's nothing happen and in system log is "Feb 24 01:52:26 SLES10 su: (to wwwrun) root on /dev/pts/0
" and whoami is still "root".

But we i created a user name "test", and "su test", then log: "Feb 24 01:52:40 SLES10 su: (to test) root on /dev/pts/0"
and whoami is "test".

Then i used "su root" and type root's password. whoami is changed to "root".

So What to do?

bathory · 03-24-2009, 04:05 AM

That is because the user wwwrun does not have a valid shell. You can use:

Code:

sudo -u wwwrun -s

to become wwwrun using the current SHELL.
Or you can edit /etc/passwd and give wwwrun a valid shell (replace /bin/false with /bin/sh), but that is a security risk.

amigota · 03-25-2009, 02:11 AM

I tried as what u told me in /etc/passwd.

Code:

.
.
wwwrun:x:30:0:WWW daemon apache:/var/lib/wwwrun:/bin/sh

run by php exec("service network restart") command -> apache log:

Code:

service: only root can use service

Even in shell command, i couldn't use ls command:

Code:

SLES10:~ # sudo -u wwwrun -s
wwwrun@SLES10:/root>
wwwrun@SLES10:/root> ls    
/bin/ls: .: Permission denied

What's wrong??

bathory · 03-25-2009, 04:01 AM

Since you gave wwwrun a valid shell, using the settings in /etc/sudoers from the previous post, the following should work

PHP Code:



exec("sudo /etc/init.d/network restart");

amigota · 03-26-2009, 09:53 PM

It was the same result.

bathory · 03-27-2009, 05:34 AM

I've found a box running openSuse 10.3 and tested the above setup. It works either with "/etc/.init.d/network ..." or "/sbin/service network ...", with the following in /etc/sudoers:

Code:

Cmnd_Alias WEBMIN = /etc/init.d/network, /sbin/service
User_Alias APACHE = wwwrun
APACHE ALL = NOPASSWD: WEBMIN

I ran the commands from CLI, as there was no php installed, but the result should be the same:

Code:

sudo /etc/init.d/network restart
sudo /sbin/service network restart

Of course it's better to use /etc/init.d/<service-name>, specifying the service you want to manage, because using /sbin/service you can mess with all the available services
If you still have problems, I guess you're running some security software (apparmor?) that is preventing wwwrun to run sudo commands.