Exécuter script avec droits root

[ShonGail]

Bonjour

Sur un Ipcop 1.3, je lance un script à travers une page cgi dans l'interface WEB.

Le problème est que ce script contient un "/etc/rc.d/rc.firewall restart"
Le but étant de prendre en compte des modifs au niveau des règles IPTABLE

or cette commande requière des droits root.

Ma question coule donc de source :

Comment lancer ce script avec des droits root ? Comment prendre en compte des modifs dans le rc.firewall sans droits root sinon ? (mis à part rebooter bien sur )

Je me suis interessé à la commande "su" mais elle ne me permet pas de passer le mdp :/

Help please

[jdh]

Une question : comment un utilisateur Unix/Linux peut changer de mot de passe ?

La réponse : il faut que l'utilisateur utilise la commande "passwd" qui est la seule à pouvoir modifier un mot de passe.

Mais alors autre question : comment un utilisateur peut utiliser une commande qui a accès à des fichiers aussi importants (et peut les modifier) ? (normalement seulement "root" peut modifier ces fichiers !)

La réponse : il y a le "suid".

Un attribut pour les fichiers (ou plutôt les commandes) est justement fait pour ça : un utilisateur peut lancer la commande AVEC les droits du propriétaire (ici en l'occurence "root") grace au "suid" bit :

Code: Tout sélectionner

fw:~# which passwd
/usr/bin/passwd
fw:~# ls -lF /usr/bin/passwd
-rwsr-xr-x  1 root root 26840 2006-08-12 20:05 /usr/bin/passwd*     <- le "s" est le "suid"-bit
fw:~#

Donc la solution est de créer une commande, définir le propriétaire à "root" (avec "chown user:grp cde"), activer le "suid" bit (avec "chmod +s cde"). Et hop ...

[ShonGail]

Merci @ toi de me répondre

Je m'étais interessé au SUID mais malgré cela, le "rc.firewall restart" échoue

Les erreurs qui s'inscrivent dans les logs d'httpd sont alors les suivantes :

Code: Tout sélectionner

Could not open /dev/console for writing.
open: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/conf/all/rp_filter: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/conf/all/accept_redirects: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/conf/all/accept_source_route: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/conf/all/log_martians: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/tcp_fin_timeout: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/tcp_window_scaling: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/tcp_timestamps: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/tcp_sack: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/tcp_max_syn_backlog: Permission denied
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/conf/all/rp_filter: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/conf/all/accept_redirects: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/conf/all/accept_source_route: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/conf/all/log_martians: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/tcp_fin_timeout: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/tcp_window_scaling: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/tcp_timestamps: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/tcp_sack: Permission denied
/etc/rc.d/rc.firewall: /proc/sys/net/ipv4/tcp_max_syn_backlog: Permission denied
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.7a: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Could not open /dev/console for writing.
open: Permission denied


[jdh]

Il faut faire une commande (script bash) qui elle-même lance /etc/.... Par exemple :

Code: Tout sélectionner

#!/bin/bash
#

/etc/rc.d/rc.firewall restart

C'est cette commande qui doit être propriétaire "root" et "suid".

N'empèche je ne comprends pas bien pourquoi il faut redémarrer un script de firewall de façon plus ou moins automatique ...

[ShonGail]

Il faut faire une commande (script bash) qui elle-même lance /etc/.... Par exemple :

Code: Tout sélectionner

#!/bin/bash
#

/etc/rc.d/rc.firewall restart

C'est cette commande qui doit être propriétaire "root" et "suid".

N'empèche je ne comprends pas bien pourquoi il faut redémarrer un script de firewall de façon plus ou moins automatique ...

C'est pourtant ce que j'ai fait Un script bash qui relance le rc.firewall
Et j'ai bien donné à ce script le "suid"

Mon script est très simple :

Code: Tout sélectionner

#!/bin/sh

cp /etc/rc.d/rc.firewall.msn /etc/rc.d/rc.firewall -p
sleep 2
/etc/rc.d/rc.firewall restart



les droits dessus sont les suivants :

Code: Tout sélectionner

root@ipcop:~ # ls -l /usr/local/bin/msn.cmd
-rwsr-sr-x    1 root     root          160 Oct 20 08:50 /usr/local/bin/msn.cmd


Tu l'auras compris. Cela sert à modifier le rc.firewall pour bloquer ou non le port 1863, correspondant à MSN Messenger

[m2nis]

Tu l'auras compris. Cela sert à modifier le rc.firewall pour bloquer ou non le port 1863, correspondant à MSN Messenger

Avec BOT, il suffit de créer la règle puis de la cocher ou... de la décocher. Trop simple?

[ShonGail]

Tu l'auras compris. Cela sert à modifier le rc.firewall pour bloquer ou non le port 1863, correspondant à MSN Messenger

Avec BOT, il suffit de créer la règle puis de la cocher ou... de la décocher. Trop simple?

Oui mais BOT c'est pour la 1.4 et moi je suis en 1.3 et je ne peux passer en 1.4 pour diverses raisons. La principale étant que la machine est à plusieurs centaines de KM

Mais bon je vais peut-être étudier BOT afin de découvrir comment il permet de changer les règles IPTABLE à la volée à travers la seule interface WEB.

[Fesch]

Sinon, il faudrait utiliser SUDO pour exécuter un script en tant que root.

[Franck78]

"Sur un Ipcop 1.3, ", Shongail est un kamikaze

Le plus simple ne serait-il pas de fouiller un peu pour voir comment IPCop gére ce problème?

La première chose a savoir c'est qu'un script c'est pas un executable. suid laisse linux de marbre.
La méthode IPCop est simple, un helper, donc un vrai programme compilé, fait le boulot demander par le GUI. Et cette fois le helper (suid root)peut faire ce qu'il veut certe, mais surtout QUE ce qu'il est prévu qu'il fasse (sauf bug bien entendu).

[ShonGail]

Sinon, il faudrait utiliser SUDO pour exécuter un script en tant que root.

hello

SUDO n'est pas implémenté dans IPCOP 1.3

[ShonGail]

"Sur un Ipcop 1.3, ", Shongail est un kamikaze

Le plus simple ne serait-il pas de fouiller un peu pour voir comment IPCop gére ce problème?

La première chose a savoir c'est qu'un script c'est pas un executable. suid laisse linux de marbre.
La méthode IPCop est simple, un helper, donc un vrai programme compilé, fait le boulot demander par le GUI. Et cette fois le helper (suid root)peut faire ce qu'il veut certe, mais surtout QUE ce qu'il est prévu qu'il fasse (sauf bug bien entendu).

Oui Franck78 ("78" comme le département ? Si oui on est pas loin ) j'ai vu cela !
Les scripts CGI de la GUI WEB lancent des exe qui agissent eux sur les fichiers de l'IPCOP

J'aimerai pouvoir suivre ce principe. Malheureusement je ne programme pas en C qui est, si je ne m'abuse, le langage utilisé pour ces executable. :/

[Franck78]

J'aimerai pouvoir suivre ce principe. Malheureusement je ne programme pas en C qui est, si je ne m'abuse, le langage utilisé pour ces executable. :/

C'est grand le 78,Je suis tout en haut; sartrouville, houilles, la défense, bezons.

Je ne programme pas en 'C': bon ca je trouve que c'est une excuse bidon car il n'y a pas besoin d'être un expert pour parvenir à lancer depuis le 'C' un script bash. D'autant plus que le modèle est sous la main...

Tu risques tout au plus de passer un peu de temps à installer gcc sous n'importe quel linux Vraiment, c'est facile comme tout.

[ShonGail]

J'aimerai pouvoir suivre ce principe. Malheureusement je ne programme pas en C qui est, si je ne m'abuse, le langage utilisé pour ces executable. :/

C'est grand le 78,Je suis tout en haut; sartrouville, houilles, la défense, bezons.

Je ne programme pas en 'C': bon ca je trouve que c'est une excuse bidon car il n'y a pas besoin d'être un expert pour parvenir à lancer depuis le 'C' un script bash. D'autant plus que le modèle est sous la main...

Tu risques tout au plus de passer un peu de temps à installer gcc sous n'importe quel linux Vraiment, c'est facile comme tout.

héhé je suis à Bezons

Sinon, bon je veux bien me lancer dans le C mais quand tu dis que les exemples sont sous la main, tu veux dire que les scripts C non compilés sont dans les sources d'Ipcop ? Je ne suis jamais allé voir encore les sources d'IPCOP