从PHP运行iptables时发生意外行为
[英]Unexpected behaviour when running iptables from php
问题描述
I'm running the following code from within php 
我正在从php中运行以下代码
$ipAddress=$_SERVER['REMOTE_ADDR'];
$mac = `arp -an |grep $ipAddress | awk '{print $4}'`;
$c = "sudo iptables -t mangle -I internet 1 -m mac --mac-source $mac -j RETURN";
shell_exec($c);
after it, output of 之后,输出
#iptables -L -v -t mangle
pkts bytes target prot opt in out source destination
215 18676 all -- * * 0.0.0.0/0 0.0.0.0/0 MAC D0:17:C2:48:1E:4F
26 1717 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
340 26189 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x63
note that there is no RETURN in the target 请注意,目标中没有RETURN
If I run the same command from bash shell as sudo, the output is 如果我从bash shell运行与sudo相同的命令,则输出为
$ sudo iptables -t mangle -I internet -m mac --mac-source D0:17:C2:48:1E:4F -j RETURN
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 MAC D0:17:C2:48:1E:4F
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x63
Observe that there is a RETURN in the target 观察目标中有RETURN
I have modified sudoers with visudo to enable php to run the said command as root 我用visudo修改了sudoers以使php以root身份运行上述命令
I also tried system(), exec and using backtick operator in php. 我还尝试了system(),exec和在PHP中使用backtick运算符。 But, all is the same. 但是,都是一样的。
I could not understand why this happens and a remedy to it. 我不明白为什么会发生这种情况并采取补救措施。
2 个解决方案
解决方案1
1 已采纳 2017-11-05 14:45:32
The string assigned to $mac ends with a newline characters, thus breaking the iptables command. 分配给$mac的字符串以换行符结尾,从而破坏了iptables命令。 Removing the newline, for example by using explode instead of awk , should fix this: 删除换行符,例如使用explode而不是awk ,应解决此问题:
$ipArp = `arp -an | grep $ipAddress`;
$mac = explode(' ', $ipArp)[3];
I'd like to add that this kind of script scares me a little. 我想补充一点,这种脚本使我有些害怕。 Blindly passing values to a shell command can have very bad consequences. 盲目地将值传递给shell命令可能会带来非常糟糕的后果。 I don't think this particular script is exploitable, but giving sudo permissions to PHP is not a good idea from a security point of view. 我不认为该特定脚本是可利用的,但是从安全角度来看,向PHP授予sudo权限不是一个好主意。
解决方案2
1 2017-11-05 16:20:40
The solution :- 解决方案 :-
I made a script /usr/bin/addtheuser and gave sudo access to www-data for this script only. 我制作了一个脚本/ usr / bin / addtheuser,并且仅对该脚本提供了sudo访问www-data的权限。
/usr/bin/addtheuser:- 在/ usr / bin中/ addtheuser: -
iptables -t mangle -i wlan0 -I internet 1 -m mac --mac-source $1 -j RETURN
When I tried running from php 当我尝试从php运行时
$c = "sudo /usr/bin/addtheuser ".$mac;
shell_exec($c);
Now it worked as expected. 现在它按预期工作了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.