[SOLVED] sudo for www user to run root shell script via browser
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
sudo for www user to run root shell script via browser
Hi
I need sudo for www (apache) user to run a shell script('ip.sh' contains iptables rules) from cgi-bin directory via browser using a per script.
I edit sudoers( www ALL=(ALL) NOPASSWD: ALL ),but when run the bellow command that's with err:
# sudo -u www sh /srv/www/cgi-bin/ip.sh
iptables v1.4.4: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
And:
# ls -al ip.sh
-rwxr-xr-x 1 root root 243 Sep 7 14:18 ip.sh
I edit sudoers so
'www ALL=(ALL) NOPASSWD: /srv/www/cgi-bin/ip.sh,/usr/sbin/iptables' too.
but it doesn't work too.
what's problem and how can I execute this script via browser ?
I use Suselinux.i edit sudoers with your commands but any thing didn't change.
i tested sudo config with yast too,but the err was same.
what do means disable/enable requirement of tty?and how can i doing it?
thanks.
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# Prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
Defaults always_set_home
Defaults env_reset
# Change env_reset to !env_reset in previous line to keep all environment variables
# Following list will no longer be necessary after this change
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
# Comment out the preceding line and uncomment the following one if you need
# to use special input methods. This may allow users to compromise the root
# account if they are allowed to run commands without authentication.
#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
Defaults targetpw
ALL ALL = (ALL) ALL
# Runas alias specification
# User privilege specification
root ALL = (ALL) ALL
User_Alias APACHE = wwwrun
Cmnd_Alias FIREWALL =/usr/sbin/iptables,/srv/cgi-bin/ip.sh
Defaults requiretty
APACHE ALL = (ALL) NOPASSWD: FIREWALL
----------------------------------------------
i think the account that runs the web server (apache) is wwwrun.
The log of apachi when i run that perl script (in that called ip.sh)with a browser:
[Tue Sep 07 22:02:12 2010] [notice] Apache/2.2.13 (Linux/SUSE) PHP/5.3.0 mod_mono/2.4.2 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] iptables v1.4.4:
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] can't initialize iptables table `filter': Permission denied (you must be root)
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] Perhaps iptables or your kernel needs to be upgraded.
You can save iptables rules you need in temporary files from CGI, and use simple cron script to modify them.
I don't think it's a good idea to modify rules directly from CGI for security reasons.
i think the account that runs the web server (apache) is wwwrun.
The log of apachi when i run that perl script (in that called ip.sh)with a browser:
[Tue Sep 07 22:02:12 2010] [notice] Apache/2.2.13 (Linux/SUSE) PHP/5.3.0 mod_mono/2.4.2 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] iptables v1.4.4:
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] can't initialize iptables table `filter': Permission denied (you must be root)
[Tue Sep 07 22:28:00 2010] [error] [client 192.168.1.4] Perhaps iptables or your kernel needs to be upgraded.
In suse linux wwwrun is a user for apache service.
After making change in sudoers file you have to run iptables command as wwwrun.
After making change, check wwwrun user able to run or not iptables command
Code:
sudo -u wwwrun sudo /sbin/iptables -L
If you are able to run this command successfully on terminal then check script. you didn't post script so I assume there is variable for iptables command add sudo command in variable value in script
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.