Starting Apache as a user with root privileges

English Network/Internet
#1

Hi. I have written a simple perl program to add a command to iptables. Here is my code :

#! /usr/bin/perl
print "Content-type: text/html

";
system("iptables -A FORWARD -s 192.168.0.2 -j DROP");

I put this file in cgi-bin folder of Apache server. Here is my problem : when I run this file with shell as root user it makes change to iptables, but when I use my browser to run this file, it doesn’t make any change. I’m sure this is because Apache doesn’t have permission to manipulate iptables.
How can I start Apache as a user with root privileges ?
Any suggestion will be appreciated.

#2

Use sudo to allow the wwwrun account to run a script that will run iptables as root.

#3

thnx. I added this line

wwwrun ALL = (ALL) NOPASSWD: ALL

to “/etc/sudoers” and restarted Apache. Again my cgi page didn’t make any change to iptables.

#4

You have to explicitly run the program under sudo, it doesn’t automatically make any command privileged. I.e.:

system(“sudo iptables …”);

You might want to restrict the commands that can be run under sudo to just this one, for safety reasons.

#5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Also… YIKES!!! Hopefully this is not the end of the line with regard
to this script. Setting wwwrun to be able to do ANYTHING without a
password is a terrible, terrible idea. You can easily limit sudoers to
make apache ONLY able to modify the iptables command. Maybe even better,
put that command in a script so that apache only has sudo access to that
script and that script only does the one thing with iptables (so somebody
doesn’t somehow use wwwrun to tweak your firewall without you knowing).

Good luck.

On 07/17/2010 09:56 AM, ken yap wrote:
>
> You have to explicitly run the program under sudo, it doesn’t
> automatically make any command privileged. I.e.:
>
> system(“sudo iptables …”);
>
> You might want to restrict the commands that can be run under sudo to
> just this one, for safety reasons.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMQeIoAAoJEF+XTK08PnB59GYP/jm3bfH11XdjO0hhMuTsBTUP
14Qkrxbaw+Q174seAPftg+6U/cLcySA6LTZPj4x7ewH8nbghowyTIgolnpgxdA74
tyLQPwa4v3DLIoNtGWe9U1H846q1D7nFOt5cBB+ksdwKtwYsJfcnW7M4bcPW/ZpB
3XFcciGtT41skTC4PGJ12lvGxFXf3HxKsPx9AB25dgsbewA0G08dd+1C/dwL48jv
1O455mUqqRNZ+3HQ1NxYDk6UotLHctEPE3YYEW347SdrYPF1jNtmtmzqjKT7Dkha
H90CiyhHL9J9wIgg0lC9QTwAcRyNAbQCQRiMUWwAiNhY5fHbOMTjhd/DZuKV0vHP
kW2kc9oDuZ817MebxMrwV1pa4Vyt8gzhEOTUWEbD1eDOsa2mM0EjxmIeXH9laCta
G2B9t4y1LKbxEKGlfdG4DDk6C+x71KyVSsyr9KH7vIG/UF4wo1qekgOuYh9C82vu
bdE5509qsSu/zO/gBn1RX3FZW5C4QPPVerUUtrVo5vDA69HGQqzVC80hAw3xNrHv
LwTDvGwMi7JGd+MzPTct5px29aFkyIZ+nDlC9zJbXBWhKkOMKSpTZmH2NJz04E7w
obcqbFMZPYUMGuLgvvGQ2kZoAfTNMo1Z+g+IWPyp07WnbZFkNe0xjdv8RVKU6lzA
JsN+YUP35+emnE2BdEUp
=zRu+
-----END PGP SIGNATURE-----

#6

thnx ab@novell.com. I don’t know how to do what you said. could you explain more about your solution ?

#7

Really thnx ken_yap about your suggestion. I added that “sudo” to start of the iptables command and it worked. I really appreciate you. thnx again.

#8

Mortezz, glad to hear things are working. As mentioned earlier you ought to consider restricting wwwrun to only being able to run the needed command(s) as root. Here is something like what I think you should add to sudoers to make what you’re doing a little safer.

wwwrun ALL=(root) NOPASSWD: /usr/sbin/iptables

This allows wwwrun to run just iptables as root without needing a password.

Going further, would be even better to give wwwrun sudo access to only a specific script instead of iptables entirely.

Hope that helps.

#9

Also, you can put the arguments required by your iptables command in /etc/sudoers. Then the invocation must match exactly those arguments, saving you an intermediate script.

E.g.

wwwrun ALL=(root) NOPASSWD: /usr/sbin/iptables blah blah

Of course if you want to do more than just one command, you should probably write a script.