permissions

[shyma]

how i can give apache server root permissions?
please help me.

[Kieren]

You wouldn't want to do that for security reasons. root has access to your entire computer so you don't want people having access so easily.

Why do you want it to have root permissions?

[vigour]

Set the apache user UID and GID=0 from /etc/passwd, but suffer the consequences

[shyma]

i want to give apache root permissions because i want to execute iptables commands through php code.

[HROAdmin26]

I'll have to echo Kieren - this is a *really* bad idea.

As a last resort, use setuid on the iptables command instead.

[vigour]

I would suggest using sudo...

put in sudo:

Code:

Cmnd_Alias ADD=/usr/sbin/iptables -A FORWARD -j ACCEPT -s
Cmnd_Alias DEL=/usr/sbin/iptables -D FORWARD -j ACCEPT -s

apache ALL=NOPASSWD: ADD
apache ALL=NOPASSWD: DEL

Then instead of executing iptables directly you will be allowed to execute only the the iptables rules starting with the above example.. this will allow you for an instance to execute from the php script the following:

Code:

sudo iptables -A FORWARD -j ACCEPT -s 192.168.0.1

PS: This will be especially secure if you are 100% sure that nothing but:

Code:

/^\d+\.\d+\.\d+\.\d+$/

is parsed to the system/exec functions

[HROAdmin26]

Shyma has ~10 threads about iptables, apache, and php. Most have told him to use sudo - he keeps asking again (I guess) because no one has spelled out the exact code/steps, so I assume he gave up on sudo and is now trying to just make apache run as root.

Maybe Vigour's post will give him new inspiration.

[vigour]

Oh... so it's good to say how to put things in sudo...

Just type:

Code:

visudo

Or if you are unfamiliar with Vi, edit /etc/sudoers with your favorite text redactor. The good thing of visudo is that it checks for errors on exit.

But anyway.. once you put the above lines in sudo, then you will be able to execute iptables commands (BUT STARTING WITH THE EXACT OPTIONS FROM SUDO) as the apache user...


Good luck..

PS: My only advise is to check the things you add to iptables.
e.g. if you are adding an ip address.. make something like:

Code:

preg_match("/^\d+\.\d+\.\d+\.\d+$/",$ipaddress,$match);
if($match[0]) { go_to_sudo_execution(); }
else { die("Invalid IP address"); }

[shyma]

hi
i want to execute this command throgh php
service iptables restart
can you give me steps to do this?
i means that steps to edit sudo.what i should type?
please help me because i try any solution that i find in this forum but i faild.

[vigour]

1. Open the sudo conf file

Code:

visudo

2. Save the following lines:

Code:

Cmnd_Alias RES=/etc/init.d/httpd restart

apache ALL=NOPASSWD: RES

3. Execute from the php script:

Code:

exec("/usr/bin/sudo /etc/init.d/iptables restart");

And you should not have any problems restarting the iptables rules.