Linux Netfilter discussions
 help / color / mirror / Atom feed
* iptables permission problem in perl scripts
@ 2005-08-14  7:34 afshin lamei
  2005-08-14  8:27 ` Gavin Henry
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: afshin lamei @ 2005-08-14  7:34 UTC (permalink / raw)
  To: netfilter

Dear all,
I have a cgi script, which uses some perl scripts in which i'm running
iptables command using "system" function, like this:
myfile.pl:
......
system("iptables -F FORWARD")
......

the cgi file is owned by root/root and is run by user nobody.
myfile.pl is owned by root/root, and I've it setuid (chmod u+s
myfile.pl ; chown root:nobody myfile.pl) to be able to run iptable
commands, but it returns this error:
/////
modprobe: Can't locate module ip_tables.
iptables v1.2.11: can't initialize iptables table `nat': Permission
denied (you must be root) perhaps iptables or your kernel needs to be
upgraded.
/////
what's the solution?
thanks a lot
afshin lame


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: iptables permission problem in perl scripts
  2005-08-14  7:34 iptables permission problem in perl scripts afshin lamei
@ 2005-08-14  8:27 ` Gavin Henry
  2005-08-15  5:47 ` Grant Taylor
  2005-08-15  6:12 ` Jan Engelhardt
  2 siblings, 0 replies; 7+ messages in thread
From: Gavin Henry @ 2005-08-14  8:27 UTC (permalink / raw)
  To: netfilter

On Sunday 14 Aug 2005 08:34, afshin lamei wrote:
> Dear all,
> I have a cgi script, which uses some perl scripts in which i'm running
> iptables command using "system" function, like this:
> myfile.pl:
> ......
> system("iptables -F FORWARD")
> ......
>
> the cgi file is owned by root/root and is run by user nobody.
> myfile.pl is owned by root/root, and I've it setuid (chmod u+s
> myfile.pl ; chown root:nobody myfile.pl) to be able to run iptable
> commands, but it returns this error:
> /////
> modprobe: Can't locate module ip_tables.
> iptables v1.2.11: can't initialize iptables table `nat': Permission
> denied (you must be root) perhaps iptables or your kernel needs to be
> upgraded.
> /////
> what's the solution?

Use "sudo"

You can grant apache permission or another user etc.


-- 
Kind Regards,

Gavin Henry.
Open Source. Open Solutions(tm).

http://www.suretecsystems.com/


^ permalink raw reply	[flat|nested] 7+ messages in thread
* iptables permission problem in perl scripts
@ 2005-08-14  9:29 psihozefir
  2005-08-15  5:44 ` Grant Taylor
  0 siblings, 1 reply; 7+ messages in thread
From: psihozefir @ 2005-08-14  9:29 UTC (permalink / raw)
  To: netfilter

maybe run perl executable suid root


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: iptables permission problem in perl scripts
  2005-08-14  9:29 psihozefir
@ 2005-08-15  5:44 ` Grant Taylor
  0 siblings, 0 replies; 7+ messages in thread
From: Grant Taylor @ 2005-08-15  5:44 UTC (permalink / raw)
  To: netfilter

psihozefir wrote:
> maybe run perl executable suid root

NO!  Do not do this, this will introduce SO MANY security problems on a modern box.  This is REALLY a BAD idea.  Find some other way to fix your problem.



Grant. . . .


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: iptables permission problem in perl scripts
  2005-08-14  7:34 iptables permission problem in perl scripts afshin lamei
  2005-08-14  8:27 ` Gavin Henry
@ 2005-08-15  5:47 ` Grant Taylor
  2005-08-15  9:17   ` /dev/rob0
  2005-08-15  6:12 ` Jan Engelhardt
  2 siblings, 1 reply; 7+ messages in thread
From: Grant Taylor @ 2005-08-15  5:47 UTC (permalink / raw)
  To: netfilter

Can we get an ls -l of the files in question?  What is the user that the web server is running as?



Grant. . . .

afshin lamei wrote:
> Dear all,
> I have a cgi script, which uses some perl scripts in which i'm running
> iptables command using "system" function, like this:
> myfile.pl:
> ......
> system("iptables -F FORWARD")
> ......
> 
> the cgi file is owned by root/root and is run by user nobody.
> myfile.pl is owned by root/root, and I've it setuid (chmod u+s
> myfile.pl ; chown root:nobody myfile.pl) to be able to run iptable
> commands, but it returns this error:
> /////
> modprobe: Can't locate module ip_tables.
> iptables v1.2.11: can't initialize iptables table `nat': Permission
> denied (you must be root) perhaps iptables or your kernel needs to be
> upgraded.
> /////
> what's the solution?
> thanks a lot
> afshin lame



^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: iptables permission problem in perl scripts
  2005-08-14  7:34 iptables permission problem in perl scripts afshin lamei
  2005-08-14  8:27 ` Gavin Henry
  2005-08-15  5:47 ` Grant Taylor
@ 2005-08-15  6:12 ` Jan Engelhardt
  2 siblings, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2005-08-15  6:12 UTC (permalink / raw)
  To: afshin lamei; +Cc: netfilter


>the cgi file is owned by root/root and is run by user nobody.
>myfile.pl is owned by root/root, and I've it setuid (chmod u+s
>myfile.pl ; chown root:nobody myfile.pl) to be able to run iptable
>commands, but it returns this error:

To run suid perl scripts, you must
- chmod u+s the script AND
- use "suidperl" AND
- have suidperl being u+s

And it's the biggest security hole as everyone says - does not [yet] reflect 
my opinion, though. So use some sudo magic (as recommended) if possible.


Jan Engelhardt
-- 


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: iptables permission problem in perl scripts
  2005-08-15  5:47 ` Grant Taylor
@ 2005-08-15  9:17   ` /dev/rob0
  0 siblings, 0 replies; 7+ messages in thread
From: /dev/rob0 @ 2005-08-15  9:17 UTC (permalink / raw)
  To: netfilter

On Monday 2005-August-15 00:47, Grant Taylor wrote:
> Can we get an ls -l of the files in question?  What is the user that
> the web server is running as?

The OP said it was "nobody". It's not a file permission issue; it is
the fact that only root can manipulate the kernel's netfilter rules. 
SUID (messy and risky) or sudo(1) (clean and possibly less risky if 
done right) are really the only solutions.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header


^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-08-15  9:17 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-14  7:34 iptables permission problem in perl scripts afshin lamei
2005-08-14  8:27 ` Gavin Henry
2005-08-15  5:47 ` Grant Taylor
2005-08-15  9:17   ` /dev/rob0
2005-08-15  6:12 ` Jan Engelhardt
  -- strict thread matches above, loose matches on Subject: below --
2005-08-14  9:29 psihozefir
2005-08-15  5:44 ` Grant Taylor

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox