1

I'm trying to start a bash script later in PHP so I allowed it in visudo.

www-data ALL = (root) NOPASSWD: /sbin/iptables
www-data ALL = (root) NOPASSWD: /usr/bin/at

The script removeuserIP is just doing sudo iptables ... and is working:

#!/bin/bash
sudo iptables -t nat -D PREROUTING -s $1 -j ACCEPT;
sudo iptables -D FORWARD -s $1 -j ACCEPT;

and in the PHP code, I put this line:

$msg=exec("echo /var/www/scripts/removeuserIP $ipaddress | at now + 1 minutes");

but the issue is it's starting the script right now. I checked in /log/var/auth.log and indeed, it's starting the command right now.

I tried it in a terminal directly and there was no issue, it is starting later (with an argument of course):

echo /var/www/scripts/removeuserIP $ipaddress | at now + 1 minutes

I also tried to do it like this in a terminal but this one is not working too because it doesn't understand there is an argument for the file:

sudo at now +1 minutes -f /var/www/scripts/removeuserIP 172.24.1.115

I really don't understand why it is starting right now even if it should start 1 minute later and not now.

Kyll
  • 6,830
  • 6
  • 39
  • 56
Masa
  • 60
  • 7
  • Please try `exec('echo "/var/www/scripts/removeuserIP $ipaddress" | at now + 1 minutes');` (note the quotation marks). This might help, though I'm not sure. If it does, I'll post it as answer. – Alex Karshin Nov 03 '16 at 14:11
  • Putting www-data in sudoers is one of the worst ideas. – Ipor Sircer Nov 03 '16 at 14:23
  • I tried like you said and it is still not working. I just checked the log and it seems it doesn't have permission to use at, saw it in /var/log/apache2 I even tried in visudo : www-data ALL = (all) NOPASSWD: ALL and it's still saying no permission to use at. Why is it one of the worst idea? Any other suggestion to do something more secure ? To be honest I'm a beginner with apache2/php so I'm not surprised of your answer. – Masa Nov 03 '16 at 18:54

2 Answers2

0

Would it be acceptable to put a time delay in removeuserIP script?

#!/bin/bash
sleep 1m
sudo iptables -t nat -D PREROUTING -s $1 -j ACCEPT;
sudo iptables -D FORWARD -s $1 -j ACCEPT;
infinigrove
  • 389
  • 1
  • 5
  • 13
  • I don't think so. OP might have put the +1 minute here as an example and maybe needs another specific value (or calculated in php on the fly). – Aserre Nov 03 '16 at 15:11
  • Even if I need another time than 1m, I could always send it to the script file by using an argument if it was dynamic. I've tried a lot of different solutions so I can't be sure of what I'm saying right now but last time i tried this solution to add a sleep, the page was waiting for 1minute, so it was not good. – Masa Nov 03 '16 at 19:25
  • 1
    Oh yea, I forgot about the PHP script waiting for the process to finish. It seems like you would have that same issue trying to do it the way you are though. You might want to check out http://stackoverflow.com/questions/1019867/is-there-a-way-to-use-shell-exec-without-waiting-for-the-command-to-complete – infinigrove Nov 03 '16 at 20:22
0

Solution: Finally, after checking /var/log/apache2/error.log, I saw that it doesn't have the permission to use at.

In fact you have to go /etc/at.deny and remove the line www-date with at. There is probably a security reason for why it's forbidden by default and a better way to do this, but at least it's working.

Masa
  • 60
  • 7