Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 19 Oct 2018, 04:42
All times are UTC - 4
 Forum index » Off-Topic Area » Programming
PHP script for Apache / LHP64 512 [NEARLY SOLVED]
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [4 Posts]  
Author Message
Meshworks


Joined: 25 Oct 2011
Posts: 38

PostPosted: Wed 16 Nov 2011, 00:08    Post subject:  PHP script for Apache / LHP64 512 [NEARLY SOLVED]
Subject description: PHP will not execute the iptables command properly...
 

Hi all....

You're (not) going to love this ...

I am building a php script to automatically ban IP's from my website that look too carefully for things like phpmyadmin and other xampp type folders....

Once we've built a list, the script (should) rip through, banning ip's using iptables.

The line in question could look something like:

$runme="iptables -I INPUT -s " . $ip . " -j DROP";
if ($ip!=$host_ipaddress) $result=shell_exec($runme);

Unfortunately this (and everything else I've tried) causes an error:
iptables v1.4.6: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

The lampp distro I'm using seems to run as user nobody (not 200% sure of that - could be spot!).

Without adding the apache user to the sudoers list, is there any way to make this work? How would someone who knows what they're doing get round this?!

Ideas welcome!

: )

LHP64 512
Apache Friends Xampp

Last edited by Meshworks on Mon 28 Nov 2011, 17:34; edited 1 time in total
Back to top
View user's profile Send private message 
Meshworks


Joined: 25 Oct 2011
Posts: 38

PostPosted: Wed 16 Nov 2011, 10:19    Post subject:  

The only idea I've had so far is to add or use a different user, and call a script that uses su or similar to call the iptables command.

Better ideas anyone?
Back to top
View user's profile Send private message 
Meshworks


Joined: 25 Oct 2011
Posts: 38

PostPosted: Wed 16 Nov 2011, 21:48    Post subject:  Chicken -> Egg -> Chicken -> Egg ...
Subject description: Gnomes... loosing... hair...
 

OK the problem has a chicken / egg quality about it:

1) Xampp seems to be running as root - in fact it produces an error if started as "spot" :

Code:
bash-4.1# su spot
<spot> ~
bash-4.1$ /opt/lampp/lampp start
You need to start XAMPP as root!


I have checked lxtask and the httpd daemons state that they are running as root.
This is probably because they are launched as root.

Code:
<root> ~
bash-4.1# /opt/lampp/lampp start
Starting XAMPP for Linux 1.7.7...
XAMPP: Starting Apache with SSL (and PHP5)...
XAMPP: Starting MySQL...
XAMPP for Linux started.
<root> ~
bash-4.1#


The details in the httpd.conf are revealing here ...

Code:
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch. 
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
# commented out by lampp compatibility check and meshworks gnomes
#User nobody
#Group nogroup
#Group nobody
User spot
Group spot


This would indicate that xampp is actually running stuff as a different user.
This is borne out by apache's inability to execute "shell_exec($runme); " certain commands correctly.

2 ) Is there a way of stopping this error and making xampp run as a different user with less rights?

3) I would prefer to avoid adding this user to the sudoers list...
However ... if the user is not able to su to a different one then "he" will still not be able to run the commands!

Code:

<root> ~
bash-4.1# su spot
<spot> ~
bash-4.1$ whoami
spot
<spot> ~
bash-4.1$ su root
su: must be suid to work properly
<spot> ~


Here's another telling snippet. As spot is not on the sudo list, the following command fails.
What it should do is run a command (in this case 'ls') as root, supplying the password instead of having to type the password in...

Code:
<root> ~
bash-4.1# echo password | sudo -u root -S ls
Building       File-Sharing   my-documents     puppy-reference  wine
Choices        Fonts      my-roxapps     spot
Desktop        ftpd      Performing     Startup
DesktopHidden  my-applications   Projectfiles.com  Web-Server
<root> ~
bash-4.1# su spot
<spot> ~
bash-4.1$ echo password | sudo -u root -S ls
Password:Sorry, try again.
Password:
sudo: 1 incorrect password attempt
<spot> ~


As you see the 'ls' command fails as user spot...

Ideas anyone?
Best fit solution welcome!
Stop gnome hairloss for pity's sake!
Back to top
View user's profile Send private message 
Meshworks


Joined: 25 Oct 2011
Posts: 38

PostPosted: Mon 28 Nov 2011, 17:34    Post subject: A CHRONic solution
Subject description: Gnomes lost all hair and gave up....
 

Ok. The solution is to run the php script via chron, say every two minutes.
This will enable a propper user to run the script, not apache.
Another bonus is that the ban script can be kept outside the htdocs folder.

Now all I need to do is read up chron (which I have avoided until now!)

More soon.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [4 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Programming
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0527s ][ Queries: 12 (0.0241s) ][ GZIP on ]