Hi Guys,

I've done extensive seaching on google and this forum and everything I try doesn't work. I want to be able to use iptable commands from php running on apache on FC4. Security isn't a problem at the moment as I'm just testing on a private isolated network.

I've generated the following script (pardon the comments):

<HTML>
<BODY>
<?php
//$source = $_POST["source"];
//echo $source;
echo exec('iptables -I INPUT 1 -s 192.168.0.6 -j DROP');
echo exec ('who');
?>
</BODY>
</HTML>

Nothing happens except for the following output:

root pts/2 Mar 25 10:26 (:0.0)

I'm guessing this means that apache is logged in as root. Therefore shouldn't the iptables command work? It doesn't.

Could someone shed some light. Many thanks.

Rookie.

I'm going to guess that Apache isn't actually running as root. I believe most distros have it set up to use a much less privileged user. Have a look in your httpd.conf file (or at the output of lsof -i) it should tell you what user Apache is running under.

After you find the user, the best way to do this would be to use sudo and give the Apache user permission to use the iptables command.

I think it's running as "nobody", therefore what would I need to enter into my sudoers file to give it access to iptables. Also, if it is running as nobody, why is it showing as root when I use the who command from php? Also, when I have edited the sudoer file, do I need to restart it or something?

The nobody user is a fequent Apache user, so that makes sense. If I remember correctly, the initial Apache thread starts as root, but that really only spawns the threads owned by nobody, and those do all the heavy lifting. I'm far from an Apache expert, but that original root thread probably has something to do with the output you're seeing. However, I am very sure that the php commands are actually being run under the nobody user, not root.

After editing the sudoers file, you shouldn't need to restart. At least I've never had to. However, you will want to let nobody have passwordless access to iptables otherwise you will have to figure out how to authenticate from within your PHP script.

Thanks, so what should my nobody entry look like in sudoers?

I think it should look something like this:

nobody localhost=NOPASSWD: /usr/sbin/iptables

Just check on the actual path for your iptables executable. By the way, there is a decent explanation of sudoers syntax here in case my example is wrong.

Argh! this is still not working! Am I calling it wrong?

exec('sudo iptables -I INPUT 1 -s 192.168.0.6 -j DROP');

This is doing my head in.

My Sudoer file looks like this:

nobody localhost=NOPASSWD: /usr/sbin/iptables

I think you need to figure out where this is bombing out and a quick way to test this would be to run the sudo iptables command from the command line. If that works, but it doesn't in PHP, you know that you have sudo right and you've got a php problem. If it doesn't work, then at least you would know it was a sudo problem.

Sudo iptables doesn't work. What does this mean?

Can you expand a bit on what you mean by "doesn't work"? What did you try? and what was the outcome. How did you become the nobody user to test this?

Ok sorry.

Logged in as "paul" which is a general admin user on my linux system, I issued this command:

sudo -u nobody iptables -L --line

I got the response:

paul is not in the sudoers file. This incident will be reported.

my sudoer file is as above. Any clues?

I think the problem is that paul doesn't have permission to run things as nobody. Here is a way that should test this properly. First, either log in or su to root. Then su to nobody (and run whoami to make sure you are nobody). Then you should be able to test the sudo iptables command.

When I try to su nobody I get:

"This account is currently not available".

That is after I have su root.

OK, I messed around a bit with this on my system and I think that using localhost in the sudoers file may be causing an issue. Try this

nobody ALL=NOPASSWD: /usr/sbin/iptables

At least on my system that allowed me to execute iptables commands as nobody. However, I am able to su to nobody, so it could be that in Fedora the nobody account has more restrictions than on Slackware. If this doesn't allow your script to run, you could always look at running Apache under a more normal user than nobody.

You need to specify a shell if you are doing it that way:

su -s /bin/bash nobody

For scripting purposes it's likely unnecessary.