# [SOLVED] config iptables on a webpage

## ska_p_te

I'm not sure I have to post it here or at Portage & Programming. 

I have school project and a part of it, is to make webinterface to configure iptables. 

So my question is: Is there a possibility to excecute iptables from the apache webserver? 

I know there will be security issues, or am I wrong?

Thanks, 

SkaLast edited by ska_p_te on Tue Feb 05, 2008 7:28 pm; edited 1 time in total

----------

## eccerr0r

Course it's possible, you'll need setuid root scripts to do it, and there is a huge security implication to do it.

I don't think the built-in suexec will work with root, so you'll need to be extra careful in not making a security hole...

But of course web interfaces is possible, you can see DD-WRT's or Linksys (router) code for its web interface, though it doesn't use apache.

----------

## ska_p_te

Ok thanks, 

the build in suexec doesn't works for root, like you said. 

So I just say in my php script exec(setuid user file) and then I can execute it as root? 

Thanks,

Ska

----------

## eccerr0r

No, I don't think it'd work as-is, as Linux doesn't allow SUID scripts.  You'll need to write a wrapper C program to execute the PHP interpreter with the php script (and only that script) as root.

I ended up writing my web login script in perl (for apache) and had to get root access as well.  Not entirely sure how to do this for PHP but I suspect it's similar.

----------

## Hu

It would be safer to let the PHP execute a setuid C program.  That would allow you to run PHP as a low privileged account.  The C program should also do rigorous validation of the input before executing iptables.  Use execve in the C program to transfer control directly to iptables, so that there is no opportunity to pass dangerous metacharacters to the shell.

----------

## ska_p_te

Thanks, 

Do you have an example of that. 

My knowledge of C isn't so good.

Ska

----------

## Hu

There is an example in the manual.  Run man execve.

----------

## ska_p_te

OK Thanks, 

I'll check check it out today. 

Greetz,

Ska

----------

## MorpheuS.Ibis

I had a similar task (running a series of commands as root from apache). I made it the other way around - i set up a shell script to do everything i needed from some parameters, and setup sudo to allow apache run this script as root without entering password, and using php exec() for "sudo script parameters"

----------

## ska_p_te

I'm using execve like you said, but isn't working. Any ideas?

I use it like this as a non root user

```

./execve ./script.sh

```

execve.c

```

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <assert.h>

int

main(int argc, char *argv[])

           {

               char *newargv[] = { NULL, "hello", "world", NULL };

               char *newenviron[] = { NULL };

               assert(argc == 2);  /* argv[1] identifies

                                      program to exec */

               newargv[0] = argv[1];

                setgid(0);

                setegid(0);

                setuid(0);

                seteuid(0);

               execve(argv[1], newargv, newenviron);

               perror("execve");   /* execve() only returns on error */

               exi

```

script.sh

```

#!/bin/bash

echo "Set default policy forward";

iptables -P FORWARD ACCEPT

```

----------

## Hu

What happens when you try to run it?  Did you make it setuid root?  Did you intend to let that wrapper run an arbitrary program chosen by the user?

Also, do not use assert to validate user input.  A failed assertion will cause the program to abort.  A program should never abort in response to bad user input.

----------

## ska_p_te

When I execute it with a normal user it gives: 

```

iptables v1.3.8: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

```

Strange because, I don't use the filter chain. 

It is the same error when I use /sbin/iptables with a normal user.

Perhaps It doesn't set the UID correct? 

Is there a way I can check it?

I've tried with sprintf(myBuf, "%d", getuid());

But printed nothing

Greetz, 

Ska

----------

## eccerr0r

Make sure you chmod the binary with u+s and owned by root -- this tells the system to allow whoever executing the file to change its effective userid to the owner of the file, which would be root.

----------

## ska_p_te

Thanks eccerr0r that did the trick! 

I hope everything else will go fine. 

Greetz, 

Ska

----------

