php/netfilter help

Discussion of programming on Linux, including shell scripting, perl, python, c/c++, mono, java. Whatever tickles your fancy.

php/netfilter help

Postby zaeemarshad » Mon Nov 01, 2004 4:26 pm

hey guys!

seems like much work is going on LNMS and these kinna projects. I am working on a web interface to iptables using php and a mysql backend for storing rules and a few things (regex make me go mad!).

The problem that i have encountered is that php under apache runs as user apache which has no privilege to run iptables. I overcame this by adding apache to the sudoers list for iptables and a few other commands. The problem is that this is not an elegant way to do it and not very user friendly. Is there any way i can access iptables without going through sudo and stuff just like webmin modules.

any ideas or pointers??

Regards
Zaeem
zaeemarshad
Lieutenant Colonel
 
Posts: 660
Joined: Sat Jul 06, 2002 12:35 pm
Website: http://zaeem.no-ip.org
WLM: zarshadvirk@hotmail.com
Yahoo Messenger: negativecreep61@yahoo.com
AOL: zarshadvirk
Location: Islamabad

Re: php/netfilter help

Postby lambda » Wed Nov 03, 2004 4:12 pm

write a setuid app to run iptables or whatever, and be very careful about who can run it.
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby zaeemarshad » Wed Nov 03, 2004 7:48 pm

lambda!

is it possible with a shell script that apache can execute but it executes under root permissions? i would write the required commands to that file and it will be executed?

what do you suggest?

regards
zaeem
zaeemarshad
Lieutenant Colonel
 
Posts: 660
Joined: Sat Jul 06, 2002 12:35 pm
Website: http://zaeem.no-ip.org
WLM: zarshadvirk@hotmail.com
Yahoo Messenger: negativecreep61@yahoo.com
AOL: zarshadvirk
Location: Islamabad

hmmmmmmm

Postby masud » Thu Nov 04, 2004 11:23 am

Salamz!
Well I am using my own MAC controller instead of iptables but your requirement is mre then MAC :) ok let see i can help you or not.

I am gona tell you what i think the best solution is ( in my openion).
OPTION 1 = As you said you are working on PHP ( which means programming) so you will be good at programming stuff, why dont you try making a C program to read a file or your MySQL database (which is really easy) , just put it in a file/database and your C program which will be running "for(;;)" and start it with system rc.local.

OPTION 2 = Do the same thing with a script instead of C.

Thats what i got in my head :) . May be anyone else will give you some easy and nice OPTION.
ALLAHHAFIZ
--SP--
masud
Havaldaar
 
Posts: 108
Joined: Thu Aug 05, 2004 12:15 am
Website: http://fedoraproject.org/wiki/MasoodMehmood
WLM: silentplayer@internet-criminals.com
Yahoo Messenger: xlx_silentplayer_xlx
Location: Fremont, CA

Postby lambda » Thu Nov 04, 2004 6:02 pm

zaeemarshad wrote:is it possible with a shell script that apache can execute but it executes under root permissions? i would write the required commands to that file and it will be executed?


unlikely. most operating systems don't allow setuid scripts.
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Re: hmmmmmmm

Postby lambda » Thu Nov 04, 2004 6:06 pm

masud wrote:OPTION 1 = As you said you are working on PHP ( which means programming) so you will be good at programming stuff, why dont you try making a C program to read a file or your MySQL database (which is really easy) , just put it in a file/database and your C program which will be running "for(;;)" and start it with system rc.local.


this is also a good idea. you can have the web page write out "commands" to execute into a database table, or into a file in a directory only the web server can get to. have a program (script, c application, whatever) run on boot as root and have it periodically poll the database or directory for work to do.
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby zaeemarshad » Sat Nov 06, 2004 2:06 pm

yeah i had the same solution in mind. implemented a different version though.

thnx all
zaeem
zaeemarshad
Lieutenant Colonel
 
Posts: 660
Joined: Sat Jul 06, 2002 12:35 pm
Website: http://zaeem.no-ip.org
WLM: zarshadvirk@hotmail.com
Yahoo Messenger: negativecreep61@yahoo.com
AOL: zarshadvirk
Location: Islamabad


Return to “%s” Programming

Who is online

Users browsing this forum: No registered users and 1 guest

cron