sudo for www user to run root shell script via browser
 

Hi
I need sudo for www (apache) user to run a shell script('ip.sh' contains iptables rules) from cgi-bin directory via browser using a per script.
I edit sudoers( www ALL=(ALL) NOPASSWD: ALL ),but when run the bellow command that's with err:

# sudo -u www sh /srv/www/cgi-bin/ip.sh
iptables v1.4.4: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
And:
# ls -al ip.sh
-rwxr-xr-x 1 root root 243 Sep 7 14:18 ip.sh

I edit sudoers so
'www ALL=(ALL) NOPASSWD: /srv/www/cgi-bin/ip.sh,/usr/sbin/iptables' too.
but it doesn't work too.
what's problem and how can I execute this script via browser ?

You not mention you linux distro.

generally iptables command located in /sbin/ dir.

here example entry for sudoers file.

Hope this help

Besides you need to disable requirement of tty for this script.
I suppose it's enabled in /etc/sudoers.

I use Suselinux.i edit sudoers with your commands but any thing didn't change.
i tested sudo config with yast too,but the err was same.
what do means disable/enable requirement of tty?and how can i doing it?
thanks.

Can you post your script configuration and sudoers file?

Just an example.

And show your sudoers please.

Ok,
sudoers:
-------------------------
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
Defaults always_set_home
Defaults env_reset
# Change env_reset to !env_reset in previous line to keep all environment variables
# Following list will no longer be necessary after this change

Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
# Comment out the preceding line and uncomment the following one if you need
# to use special input methods. This may allow users to compromise the root
# account if they are allowed to run commands without authentication.
#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
Defaults targetpw
ALL ALL = (ALL) ALL

# Runas alias specification

# User privilege specification
root ALL = (ALL) ALL
User_Alias APACHE = wwwrun
Cmnd_Alias FIREWALL =/usr/sbin/iptables,/srv/cgi-bin/ip.sh
Defaults requiretty
APACHE ALL = (ALL) NOPASSWD: FIREWALL
----------------------------------------------
i think the account that runs the web server (apache) is wwwrun.

The log of apachi when i run that perl script (in that called ip.sh)with a browser:
[Tue Sep 07 22:02:12 2010] [notice] Apache/2.2.13 (Linux/SUSE) PHP/5.3.0 mod_mono/2.4.2 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] iptables v1.4.4:
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] can't initialize iptables table `filter': Permission denied (you must be root)
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] Perhaps iptables or your kernel needs to be upgraded.

Do you run ip.sh with sudo from perl script?

Anyway, it wouldn't work with this:

There's another way.

You can save iptables rules you need in temporary files from CGI, and use simple cron script to modify them.
I don't think it's a good idea to modify rules directly from CGI for security reasons.

ok,i will try to test it.
Thanks

In suse linux wwwrun is a user for apache service.

After making change in sudoers file you have to run iptables command as wwwrun.

After making change, check wwwrun user able to run or not iptables command

If you are able to run this command successfully on terminal then check script. you didn't post script so I assume there is variable for iptables command add sudo command in variable value in script

i.e

Hope this help.
Let us know the status.

Hi,sem007
Excuse me for the delay in answering,please.i use another way, but i test your command and it worked successfully.

Thanks.

Glad it works. Please mark thread as SOLVED so newbie find solution on same problem.

Regards,