LinuxQuestions.org - www-data execute iptables

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - www-data execute iptables (https://www.linuxquestions.org/questions/linux-security-4/www-data-execute-iptables-777501/)

www-data execute iptables

Hi all,

I have a biiig question for you guys. What's safer, to give www-data root permissions to iptables to execute some rules or to give www-data root permossions to a script made by me, that executes the rule and recives the ip from the page?
Or do you have another safer ideas for doing that? (Perl, CGI, etc.)
All i want is to execute an iptables rule from php.

Thanks,
Mihai

If any part of the data is being submitted or sent by a webpage check your data very, very carefully check the data to make sure it is what you're looking for and only what you're looking for.

I'd be more inclined to write out a text file with just the 'variable' information in it and have a cron'd script read the file, validate the data, and execute the iptables command if necessary (and that has nothing to do with php, perl, or cgi... it' just a bit safer imo then letting a webapp call a system utility directly.)

Quote:

Originally Posted by rweaver (Post 3801558)

ok, but i want it to be more "real time". This is for a "message of the day" system of my clients behind a linux router. I redirect them every day by a cron job, and the idea is that when they access a web page, all http traffic is redirected to my apache server, and they acces a page with a message, and they have a button "Continue to requested page" wich executes iptables -D .... to delete the rule and redirects them to the requested page.