Running a BASH script via PHP

Anon

I am working on a simple web interface to change IPTABLES ports. I have a BASH IPTABLES script, that when I run it manually, works fine. With PHP, I run it, and it seems to run, but nothing happens. If I use passthru(), it gives me normal output as it does by running it manually, and that is it.

The file is chmoded 777 with owner nobody.nobody. nobody can not run it however as they do not have access to IPTABLES. When running commands such as passthru(), does it run the command as root or as what PHP is running as? Perhaps that is the problem, in some odd say.

I use PHP to search for the port list in MonMarta's IPTABLES file, and add/remove ports by parsing that string. It writes the output to a different file, then makes a backup of the original, and copies the new one over, then chmod's it to 777 and sets the owner to nobody.nobody. I know 777 is not that secure, but right now I just want it to work... 🙂

Any help would be appreciated for this problem. I need to have this buttoned up by the end of the week for work, and this is the ONLY thing I have left.

Thanks
Paul

Anon

i know it's even less secure but maybe try setuid.

Anon

How would I use this in the script? I was looking at the bash options, I am not seeing one for setuid...

Is there a uid option specifically for PHP?

Anon

no, it's part of the shell permissions structure. short rundown here:

http://www.evolt.org/article/UNIX_File_Permissions_and_Setuid_Part_2/18/263/

explains it better than i could

Anon

I just tried it, no go...

I am even trying to use "/sbin/init 3" to rerun the script (as well as everything else), and that does nothing. I chmoded with 7755, both init and the script that I am trying to use, no luck...

Anon

I took this to another step even. I created a C binary that all it does is run the script. I can manually run the C binary, and it runs the script and it takes effect. If I try running the C binary in PHP, nothing happens....

Anon

k. for the c binary you may have to manually power up to root. so something like

#include <unistd.h> // i think...

seteuid(0); // set effective uid to root
system("/usr/bin/foo");

that's totally off the top of my head so it may not work "as advertised" but i think the general concept should do the job.

if that doesn't work, some kludges could be:

a) put the whole script into one string and run that via system()
b) edit your crontab to run the scrip one second from time()

frymaster

Anon

Great ideas, I think I will end up going with them.... I tried the seteuid() being added to my C binary, same thing happens. ARGH!

Some questions though. How do I set crontab to run in one second, the smallest increment I see is in a minute. The other thing, how long of a string can I actually have? This script is several pages printed out.

Thanks
Paul

Anon

Well, I am getting closer! I have at scheduling things now, but one little problem... seteuid() is not working... If I run it as root, works fine. If I run it as another user, such as nobody, no go. Getting closer, just not quite there.

Anon

Paul,

I am facing the same problem. Even worse, I have to do it in a real time fashion. Have you figured out the soultion yet? Any help will be very much appreciated.

Ken