On Sun, 24 Feb 2002, Nicholas Reese wrote:
> HI all,
>
> I want to create a web based interface that allows me to add or delete
> ipchains (I want to dynamically allow or deny network access to
> workstations) - I have a simple PERL script in cgi-bin that runs the
> command to add or delete a chain - the only problem here is that I get
> "permission denied, you must be root" when I try to run it. I have
> created a user called apache_user and made it a member of the root
> group, then changed the ownership of ipchains to apache_user, still no
> luck. I have checked out suEXEC but this will not allow the 'root' group
> to execute CGI/SSI programs. Any ideas / completely different approaches
> greatly appreciated.
If no other solutions forwarded... I often get around this sort of
situation by running another script as root that waits for some signal to
read a configuration file. The config file is owned by the apache user.
The signal could be the presense of a file for something really basic.
#!/bin/bash
while [ 0 ]; do
if [ -f /tmp/marker ]; then
# do something here
cat /tmp/ipchain | xargs ipchains
rm /tmp/marker
fi
sleep 30
done
The sleep is very important as the script doesen't chew any CPU while in a
sleep state.
In the file /tmp/ipchain you just put the ipchains command you want eg:
-A input -s 192.168.1.33 -j ACCEPT
-D input -s 192.168.1.38
Of course this isn't a real secure way of doing it. It's better to have
the CGI script supply less information and the script run as root should
check the input using a regular expression and/or put quotes around it to
help stop shell escapes etc etc.
--
---<GRiP>---
Web: www.arcadia.au.com/gripz
Answering Machine/fax: 02 4950 1194 (wait 5 mins if no answer)
Mobile: 0408 686 201
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
