LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 09-07-2010, 06:34 AM   #1
kzcom
LQ Newbie
 
Registered: Aug 2010
Posts: 25

Rep: Reputation: 0
sudo for www user to run root shell script via browser


Hi
I need sudo for www (apache) user to run a shell script('ip.sh' contains iptables rules) from cgi-bin directory via browser using a per script.
I edit sudoers( www ALL=(ALL) NOPASSWD: ALL ),but when run the bellow command that's with err:

# sudo -u www sh /srv/www/cgi-bin/ip.sh
iptables v1.4.4: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
And:
# ls -al ip.sh
-rwxr-xr-x 1 root root 243 Sep 7 14:18 ip.sh

I edit sudoers so
'www ALL=(ALL) NOPASSWD: /srv/www/cgi-bin/ip.sh,/usr/sbin/iptables' too.
but it doesn't work too.
what's problem and how can I execute this script via browser ?
 
Old 09-07-2010, 06:47 AM   #2
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
You not mention you linux distro.

generally iptables command located in /sbin/ dir.

here example entry for sudoers file.

Code:
User_Alias APACHE = www-data
Cmnd_Alias FIREWALL = /sbin/iptables,

APACHE ALL = (ALL) NOPASSWD: FIREWALL
Hope this help
 
Old 09-07-2010, 07:15 AM   #3
goldenbarb
Member
 
Registered: Aug 2010
Distribution: Fedora, Centos, Debian
Posts: 49

Rep: Reputation: 7
Besides you need to disable requirement of tty for this script.
I suppose it's enabled in /etc/sudoers.
 
Old 09-07-2010, 10:57 AM   #4
kzcom
LQ Newbie
 
Registered: Aug 2010
Posts: 25

Original Poster
Rep: Reputation: 0
I use Suselinux.i edit sudoers with your commands but any thing didn't change.
i tested sudo config with yast too,but the err was same.
what do means disable/enable requirement of tty?and how can i doing it?
thanks.

Last edited by kzcom; 09-07-2010 at 10:58 AM.
 
Old 09-07-2010, 11:06 AM   #5
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Can you post your script configuration and sudoers file?
 
Old 09-07-2010, 12:02 PM   #6
goldenbarb
Member
 
Registered: Aug 2010
Distribution: Fedora, Centos, Debian
Posts: 49

Rep: Reputation: 7
Just an example.

Code:
Cmnd_Alias FIREWALL  = /srv/www/cgi-bin/ip.sh
Defaults    requiretty
Defaults!FIREWALL !requiretty
And show your sudoers please.
 
Old 09-07-2010, 01:30 PM   #7
kzcom
LQ Newbie
 
Registered: Aug 2010
Posts: 25

Original Poster
Rep: Reputation: 0
Ok,
sudoers:
-------------------------
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
Defaults always_set_home
Defaults env_reset
# Change env_reset to !env_reset in previous line to keep all environment variables
# Following list will no longer be necessary after this change

Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
# Comment out the preceding line and uncomment the following one if you need
# to use special input methods. This may allow users to compromise the root
# account if they are allowed to run commands without authentication.
#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
Defaults targetpw
ALL ALL = (ALL) ALL

# Runas alias specification

# User privilege specification
root ALL = (ALL) ALL
User_Alias APACHE = wwwrun
Cmnd_Alias FIREWALL =/usr/sbin/iptables,/srv/cgi-bin/ip.sh
Defaults requiretty
APACHE ALL = (ALL) NOPASSWD: FIREWALL
----------------------------------------------
i think the account that runs the web server (apache) is wwwrun.

The log of apachi when i run that perl script (in that called ip.sh)with a browser:
[Tue Sep 07 22:02:12 2010] [notice] Apache/2.2.13 (Linux/SUSE) PHP/5.3.0 mod_mono/2.4.2 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] iptables v1.4.4:
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] can't initialize iptables table `filter': Permission denied (you must be root)
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] Perhaps iptables or your kernel needs to be upgraded.

Last edited by kzcom; 09-07-2010 at 01:32 PM.
 
Old 09-07-2010, 02:12 PM   #8
goldenbarb
Member
 
Registered: Aug 2010
Distribution: Fedora, Centos, Debian
Posts: 49

Rep: Reputation: 7
Do you run ip.sh with sudo from perl script?

Anyway, it wouldn't work with this:
Code:
Defaults requiretty

There's another way.

You can save iptables rules you need in temporary files from CGI, and use simple cron script to modify them.
I don't think it's a good idea to modify rules directly from CGI for security reasons.
 
Old 09-07-2010, 03:10 PM   #9
kzcom
LQ Newbie
 
Registered: Aug 2010
Posts: 25

Original Poster
Rep: Reputation: 0
ok,i will try to test it.
Thanks
 
Old 09-08-2010, 02:57 AM   #10
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Quote:
i think the account that runs the web server (apache) is wwwrun.

The log of apachi when i run that perl script (in that called ip.sh)with a browser:
[Tue Sep 07 22:02:12 2010] [notice] Apache/2.2.13 (Linux/SUSE) PHP/5.3.0 mod_mono/2.4.2 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] iptables v1.4.4:
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] can't initialize iptables table `filter': Permission denied (you must be root)
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] Perhaps iptables or your kernel needs to be upgraded.
In suse linux wwwrun is a user for apache service.

After making change in sudoers file you have to run iptables command as wwwrun.

After making change, check wwwrun user able to run or not iptables command

Code:
sudo -u wwwrun sudo /sbin/iptables -L
If you are able to run this command successfully on terminal then check script. you didn't post script so I assume there is variable for iptables command add sudo command in variable value in script

i.e

Code:
# iptables command variable
IPTABLES="sudo -u wwwrun sudo /sbin/iptables"
Hope this help.
Let us know the status.
 
1 members found this post helpful.
Old 09-14-2010, 04:25 PM   #11
kzcom
LQ Newbie
 
Registered: Aug 2010
Posts: 25

Original Poster
Rep: Reputation: 0
Hi,sem007
Excuse me for the delay in answering,please.i use another way, but i test your command and it worked successfully.

Thanks.
 
Old 09-15-2010, 02:48 AM   #12
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Glad it works. Please mark thread as SOLVED so newbie find solution on same problem.

Regards,
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to run Shell Script from a browser! solo9300 Linux - General 3 04-18-2010 10:36 AM
How to run a shell script as root (when user is not root) taylorkh Linux - Newbie 10 09-12-2008 07:05 PM
Gconf-editor settings not sticking for root, sudo user, or user when run sandaili Fedora 1 07-19-2008 09:31 AM
How to run root privileged Linux command as normal user via shell shell tcegrid Linux - Newbie 1 06-23-2008 04:38 PM
allow sudo for www user to run root shell script cccc *BSD 12 07-23-2005 04:48 PM


All times are GMT -5. The time now is 11:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration