* iptables permission problem in perl scripts
@ 2005-08-14 7:34 afshin lamei
2005-08-14 8:27 ` Gavin Henry
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: afshin lamei @ 2005-08-14 7:34 UTC (permalink / raw)
To: netfilter
Dear all,
I have a cgi script, which uses some perl scripts in which i'm running
iptables command using "system" function, like this:
myfile.pl:
......
system("iptables -F FORWARD")
......
the cgi file is owned by root/root and is run by user nobody.
myfile.pl is owned by root/root, and I've it setuid (chmod u+s
myfile.pl ; chown root:nobody myfile.pl) to be able to run iptable
commands, but it returns this error:
/////
modprobe: Can't locate module ip_tables.
iptables v1.2.11: can't initialize iptables table `nat': Permission
denied (you must be root) perhaps iptables or your kernel needs to be
upgraded.
/////
what's the solution?
thanks a lot
afshin lame
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: iptables permission problem in perl scripts
2005-08-14 7:34 iptables permission problem in perl scripts afshin lamei
@ 2005-08-14 8:27 ` Gavin Henry
2005-08-15 5:47 ` Grant Taylor
2005-08-15 6:12 ` Jan Engelhardt
2 siblings, 0 replies; 7+ messages in thread
From: Gavin Henry @ 2005-08-14 8:27 UTC (permalink / raw)
To: netfilter
On Sunday 14 Aug 2005 08:34, afshin lamei wrote:
> Dear all,
> I have a cgi script, which uses some perl scripts in which i'm running
> iptables command using "system" function, like this:
> myfile.pl:
> ......
> system("iptables -F FORWARD")
> ......
>
> the cgi file is owned by root/root and is run by user nobody.
> myfile.pl is owned by root/root, and I've it setuid (chmod u+s
> myfile.pl ; chown root:nobody myfile.pl) to be able to run iptable
> commands, but it returns this error:
> /////
> modprobe: Can't locate module ip_tables.
> iptables v1.2.11: can't initialize iptables table `nat': Permission
> denied (you must be root) perhaps iptables or your kernel needs to be
> upgraded.
> /////
> what's the solution?
Use "sudo"
You can grant apache permission or another user etc.
--
Kind Regards,
Gavin Henry.
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: iptables permission problem in perl scripts
2005-08-14 7:34 iptables permission problem in perl scripts afshin lamei
2005-08-14 8:27 ` Gavin Henry
@ 2005-08-15 5:47 ` Grant Taylor
2005-08-15 9:17 ` /dev/rob0
2005-08-15 6:12 ` Jan Engelhardt
2 siblings, 1 reply; 7+ messages in thread
From: Grant Taylor @ 2005-08-15 5:47 UTC (permalink / raw)
To: netfilter
Can we get an ls -l of the files in question? What is the user that the web server is running as?
Grant. . . .
afshin lamei wrote:
> Dear all,
> I have a cgi script, which uses some perl scripts in which i'm running
> iptables command using "system" function, like this:
> myfile.pl:
> ......
> system("iptables -F FORWARD")
> ......
>
> the cgi file is owned by root/root and is run by user nobody.
> myfile.pl is owned by root/root, and I've it setuid (chmod u+s
> myfile.pl ; chown root:nobody myfile.pl) to be able to run iptable
> commands, but it returns this error:
> /////
> modprobe: Can't locate module ip_tables.
> iptables v1.2.11: can't initialize iptables table `nat': Permission
> denied (you must be root) perhaps iptables or your kernel needs to be
> upgraded.
> /////
> what's the solution?
> thanks a lot
> afshin lame
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: iptables permission problem in perl scripts
2005-08-15 5:47 ` Grant Taylor
@ 2005-08-15 9:17 ` /dev/rob0
0 siblings, 0 replies; 7+ messages in thread
From: /dev/rob0 @ 2005-08-15 9:17 UTC (permalink / raw)
To: netfilter
On Monday 2005-August-15 00:47, Grant Taylor wrote:
> Can we get an ls -l of the files in question? What is the user that
> the web server is running as?
The OP said it was "nobody". It's not a file permission issue; it is
the fact that only root can manipulate the kernel's netfilter rules.
SUID (messy and risky) or sudo(1) (clean and possibly less risky if
done right) are really the only solutions.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: iptables permission problem in perl scripts
2005-08-14 7:34 iptables permission problem in perl scripts afshin lamei
2005-08-14 8:27 ` Gavin Henry
2005-08-15 5:47 ` Grant Taylor
@ 2005-08-15 6:12 ` Jan Engelhardt
2 siblings, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2005-08-15 6:12 UTC (permalink / raw)
To: afshin lamei; +Cc: netfilter
>the cgi file is owned by root/root and is run by user nobody.
>myfile.pl is owned by root/root, and I've it setuid (chmod u+s
>myfile.pl ; chown root:nobody myfile.pl) to be able to run iptable
>commands, but it returns this error:
To run suid perl scripts, you must
- chmod u+s the script AND
- use "suidperl" AND
- have suidperl being u+s
And it's the biggest security hole as everyone says - does not [yet] reflect
my opinion, though. So use some sudo magic (as recommended) if possible.
Jan Engelhardt
--
^ permalink raw reply [flat|nested] 7+ messages in thread
* iptables permission problem in perl scripts
@ 2005-08-14 9:29 psihozefir
2005-08-15 5:44 ` Grant Taylor
0 siblings, 1 reply; 7+ messages in thread
From: psihozefir @ 2005-08-14 9:29 UTC (permalink / raw)
To: netfilter
maybe run perl executable suid root
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-08-15 9:17 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-14 7:34 iptables permission problem in perl scripts afshin lamei
2005-08-14 8:27 ` Gavin Henry
2005-08-15 5:47 ` Grant Taylor
2005-08-15 9:17 ` /dev/rob0
2005-08-15 6:12 ` Jan Engelhardt
-- strict thread matches above, loose matches on Subject: below --
2005-08-14 9:29 psihozefir
2005-08-15 5:44 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox