Hi,
I did a little more research on this issue. I can now tell, that
DOSSystemCommand in
general works, like:
DOSSystemCommand /bin/echo hi /tmp/out.txt
But I'm still not able to generate IPTables-rules with mod-evasive. Here is the
relevant
configuration:
/etc/sudoers
Defaultsenv_reset
rootALL=(ALL) ALL
www-data ALL=(ALL) NOPASSWD: /sbin/iptables -A INPUT -p tcp --dport 80 -s
[0-9.]* -j DROP
%sudo ALL=(ALL) ALL
/etc/apache2/mods-enabled/mod-evasive.conf
IfModule mod_evasive20.c
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/lock/mod_evasive
DOSSystemCommand /usr/bin/sudo /sbin/iptables -A INPUT -p tcp --dport 80 -s
%s -j DROP
/IfModule
I've strace'd the apache processes, here are relevant parts:
...
2241 execve(/usr/bin/sudo, [/usr/bin/sudo, /sbin/iptables, -A,
INPUT, -p, tcp, --dport, 80, -s, 10.211.55.2, -j, DROP],
2241 geteuid32() = 33
2241 write(2, sudo, 4) = 4
2241 write(2, : , 2) = 2
2241 write(2, must be setuid root, 19) = 19
2241 write(2, \n, 1) = 1
...
The permissions of /usr/bin/sudo seem ok:
-rwsr-xr-x 2 root root 144740 8. Sep 22:32 /usr/bin/sudo
I am able as user www-data to create the mentioned iptables-rule by hand via
sudo, but it's not possible from apache/mod-evasive :-(
let me know it
Thanks,
Werner
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
