LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   sudo for www user to run root shell script via browser (http://www.linuxquestions.org/questions/linux-general-1/sudo-for-www-user-to-run-root-shell-script-via-browser-830750/)

kzcom 09-07-2010 05:34 AM

sudo for www user to run root shell script via browser
 
Hi
I need sudo for www (apache) user to run a shell script('ip.sh' contains iptables rules) from cgi-bin directory via browser using a per script.
I edit sudoers( www ALL=(ALL) NOPASSWD: ALL ),but when run the bellow command that's with err:

# sudo -u www sh /srv/www/cgi-bin/ip.sh
iptables v1.4.4: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
And:
# ls -al ip.sh
-rwxr-xr-x 1 root root 243 Sep 7 14:18 ip.sh

I edit sudoers so
'www ALL=(ALL) NOPASSWD: /srv/www/cgi-bin/ip.sh,/usr/sbin/iptables' too.
but it doesn't work too.
what's problem and how can I execute this script via browser ?

sem007 09-07-2010 05:47 AM

You not mention you linux distro.

generally iptables command located in /sbin/ dir.

here example entry for sudoers file.

Code:

User_Alias APACHE = www-data
Cmnd_Alias FIREWALL = /sbin/iptables,

APACHE ALL = (ALL) NOPASSWD: FIREWALL

Hope this help

goldenbarb 09-07-2010 06:15 AM

Besides you need to disable requirement of tty for this script.
I suppose it's enabled in /etc/sudoers.

kzcom 09-07-2010 09:57 AM

I use Suselinux.i edit sudoers with your commands but any thing didn't change.
i tested sudo config with yast too,but the err was same.
what do means disable/enable requirement of tty?and how can i doing it?
thanks.

sem007 09-07-2010 10:06 AM

Can you post your script configuration and sudoers file?

goldenbarb 09-07-2010 11:02 AM

Just an example.

Code:

Cmnd_Alias FIREWALL  = /srv/www/cgi-bin/ip.sh
Defaults    requiretty
Defaults!FIREWALL !requiretty

And show your sudoers please.

kzcom 09-07-2010 12:30 PM

Ok,
sudoers:
-------------------------
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
Defaults always_set_home
Defaults env_reset
# Change env_reset to !env_reset in previous line to keep all environment variables
# Following list will no longer be necessary after this change

Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
# Comment out the preceding line and uncomment the following one if you need
# to use special input methods. This may allow users to compromise the root
# account if they are allowed to run commands without authentication.
#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
Defaults targetpw
ALL ALL = (ALL) ALL

# Runas alias specification

# User privilege specification
root ALL = (ALL) ALL
User_Alias APACHE = wwwrun
Cmnd_Alias FIREWALL =/usr/sbin/iptables,/srv/cgi-bin/ip.sh
Defaults requiretty
APACHE ALL = (ALL) NOPASSWD: FIREWALL
----------------------------------------------
i think the account that runs the web server (apache) is wwwrun.

The log of apachi when i run that perl script (in that called ip.sh)with a browser:
[Tue Sep 07 22:02:12 2010] [notice] Apache/2.2.13 (Linux/SUSE) PHP/5.3.0 mod_mono/2.4.2 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] iptables v1.4.4:
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] can't initialize iptables table `filter': Permission denied (you must be root)
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] Perhaps iptables or your kernel needs to be upgraded.

goldenbarb 09-07-2010 01:12 PM

Do you run ip.sh with sudo from perl script?

Anyway, it wouldn't work with this:
Code:

Defaults requiretty

There's another way.

You can save iptables rules you need in temporary files from CGI, and use simple cron script to modify them.
I don't think it's a good idea to modify rules directly from CGI for security reasons.

kzcom 09-07-2010 02:10 PM

ok,i will try to test it.
Thanks

sem007 09-08-2010 01:57 AM

Quote:

i think the account that runs the web server (apache) is wwwrun.

The log of apachi when i run that perl script (in that called ip.sh)with a browser:
[Tue Sep 07 22:02:12 2010] [notice] Apache/2.2.13 (Linux/SUSE) PHP/5.3.0 mod_mono/2.4.2 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] iptables v1.4.4:
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] can't initialize iptables table `filter': Permission denied (you must be root)
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] Perhaps iptables or your kernel needs to be upgraded.
In suse linux wwwrun is a user for apache service.

After making change in sudoers file you have to run iptables command as wwwrun.

After making change, check wwwrun user able to run or not iptables command

Code:

sudo -u wwwrun sudo /sbin/iptables -L
If you are able to run this command successfully on terminal then check script. you didn't post script so I assume there is variable for iptables command add sudo command in variable value in script

i.e

Code:

# iptables command variable
IPTABLES="sudo -u wwwrun sudo /sbin/iptables"

Hope this help.
Let us know the status.

kzcom 09-14-2010 03:25 PM

Hi,sem007
Excuse me for the delay in answering,please.i use another way, but i test your command and it worked successfully.

Thanks.

sem007 09-15-2010 01:48 AM

Glad it works. Please mark thread as SOLVED so newbie find solution on same problem.

Regards,


All times are GMT -5. The time now is 10:27 AM.