sudo for www user to run root shell script via browser
Hi
I need sudo for www (apache) user to run a shell script('ip.sh' contains iptables rules) from cgi-bin directory via browser using a per script. I edit sudoers( www ALL=(ALL) NOPASSWD: ALL ),but when run the bellow command that's with err: # sudo -u www sh /srv/www/cgi-bin/ip.sh iptables v1.4.4: can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. And: # ls -al ip.sh -rwxr-xr-x 1 root root 243 Sep 7 14:18 ip.sh I edit sudoers so 'www ALL=(ALL) NOPASSWD: /srv/www/cgi-bin/ip.sh,/usr/sbin/iptables' too. but it doesn't work too. what's problem and how can I execute this script via browser ? |
You not mention you linux distro.
generally iptables command located in /sbin/ dir. here example entry for sudoers file. Code:
User_Alias APACHE = www-data |
Besides you need to disable requirement of tty for this script.
I suppose it's enabled in /etc/sudoers. |
I use Suselinux.i edit sudoers with your commands but any thing didn't change.
i tested sudo config with yast too,but the err was same. what do means disable/enable requirement of tty?and how can i doing it? thanks. |
Can you post your script configuration and sudoers file?
|
Just an example.
Code:
Cmnd_Alias FIREWALL = /srv/www/cgi-bin/ip.sh |
Ok,
sudoers: ------------------------- # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # Failure to use 'visudo' may result in syntax or file permission errors # that prevent sudo from running. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification # Prevent environment variables from influencing programs in an # unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) Defaults always_set_home Defaults env_reset # Change env_reset to !env_reset in previous line to keep all environment variables # Following list will no longer be necessary after this change Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" # Comment out the preceding line and uncomment the following one if you need # to use special input methods. This may allow users to compromise the root # account if they are allowed to run commands without authentication. #Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" # In the default (unconfigured) configuration, sudo asks for the root password. # This allows use of an ordinary user account for administration of a freshly # installed system. When configuring sudo, delete the two # following lines: Defaults targetpw ALL ALL = (ALL) ALL # Runas alias specification # User privilege specification root ALL = (ALL) ALL User_Alias APACHE = wwwrun Cmnd_Alias FIREWALL =/usr/sbin/iptables,/srv/cgi-bin/ip.sh Defaults requiretty APACHE ALL = (ALL) NOPASSWD: FIREWALL ---------------------------------------------- i think the account that runs the web server (apache) is wwwrun. The log of apachi when i run that perl script (in that called ip.sh)with a browser: [Tue Sep 07 22:02:12 2010] [notice] Apache/2.2.13 (Linux/SUSE) PHP/5.3.0 mod_mono/2.4.2 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations [Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] iptables v1.4.4: [Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] can't initialize iptables table `filter': Permission denied (you must be root) [Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] Perhaps iptables or your kernel needs to be upgraded. |
Do you run ip.sh with sudo from perl script?
Anyway, it wouldn't work with this: Code:
Defaults requiretty There's another way. You can save iptables rules you need in temporary files from CGI, and use simple cron script to modify them. I don't think it's a good idea to modify rules directly from CGI for security reasons. |
ok,i will try to test it.
Thanks |
Quote:
After making change in sudoers file you have to run iptables command as wwwrun. After making change, check wwwrun user able to run or not iptables command Code:
sudo -u wwwrun sudo /sbin/iptables -L i.e Code:
# iptables command variable Let us know the status. |
Hi,sem007
Excuse me for the delay in answering,please.i use another way, but i test your command and it worked successfully. Thanks. |
Glad it works. Please mark thread as SOLVED so newbie find solution on same problem.
Regards, |
All times are GMT -5. The time now is 12:55 AM. |