I'm trying to get a web-accessible .php page to trigger an iptables command (which requires root privileges).
The php page has one line:
exec('sudo iptables -I INPUT 3 -s [login to view URL] -p tcp --destination-port 443 -j DROP');
I used visudo to modify /etc/[login to view URL]
I have two questions that you're bidding on:
QUESTION 1) Which is the correct format for the [login to view URL] file:
www-data ALL=(ALL:ALL) NOPASSWD: /sbin/iptables
www-data ALL = NOPASSWD: /sbin/iptables
www-data ALL=(ALL) NOPASSWD: /sbin/iptables
QUESTION 2) Is there a better way to do this?
Should I not be allowing www-data to run iptables?
The only command I need to run is "iptables -I INPUT...-j DROP"
Please post your bid for answering both questions. And if #2 is "yes", for explaining what to do.
Thanks for reading!
Hi, I can provide support for your task. Answers:
1) "www-data ALL=(ALL) NOPASSWD: /sbin/iptables" is the right format.
2) Yes there are better ways. You should at least put your command to script then limit sudoers right to this script only. Giving iptables access as sudoers might get really harmful.
$15 USD 1 napon belül
0,0 (0 értékelés)
0,0
0,0
3 szabadúszó adott átlagosan $18 USD összegű árajánlatot erre a munkára
As you have mentioned that you want to add iptables entry using php no its not recommended to give any user that is already using a services like www-data privileges to do security related tasks.
if you still want to do i can do that for you but my suggestions are to use either firewall that has UI instead which i can again setup for you but not will charge a bit more for it.
Second and best solution is to use a backend bash script which runs it using another user which is sudo user and a button in php script this again i can setup for you the script part and if you want to change remote servers iptables from here its again possible using ansible now any solution you want let me know.