[英]Run python-iptables (iptc) as non-root user
I am trying to run the python-iptables as a non-root user.我正在尝试以非 root 用户身份运行 python-iptables。
My script is test.py:我的脚本是test.py:
import iptc
import os
uid = os.getuid()
print("Real user ID of the current process:", uid)
table = iptc.Table(iptc.Table.FILTER)
print("Table is:".format(table))
I tried:我试过了:
/usr/bin/python2.7
(outcome is: $ getcap /usr/bin/python2.7 /usr/bin/python2.7 = cap.net_admin+eip
) and executing /usr/bin/python2.7./test.py
as described in: Python Scapy sniff without root/usr/bin/python2.7
(结果是: $ getcap /usr/bin/python2.7 /usr/bin/python2.7 = cap.net_admin+eip
)并执行/usr/bin/python2.7./test.py
描述如下: Python Scapy sniff without root./ambient -c '12' /usr/bin/python2.7./test.py
./ambient -c '12' /usr/bin/python2.7./test.py
The logs are:日志是:
('Real user ID of the current process:', 1000)
Traceback (most recent call last):
File "test.py", line 7, in <module>
table = iptc.Table(iptc.Table.FILTER)
File "/usr/lib64/python2.7/site-packages/iptc/ip4tc.py", line 1566, in __new__
obj._init(name, autocommit)
File "/usr/lib64/python2.7/site-packages/iptc/ip4tc.py", line 1582, in _init
self.refresh()
File "/usr/lib64/python2.7/site-packages/iptc/ip4tc.py", line 1619, in refresh
self.strerror()))
iptc.ip4tc.IPTCError: can't initialize filter: Permission denied (you must be root)
My kernel is:我的 kernel 是:
$ uname -r
4.4.224-1.el7.elrepo.x86_64
My python version is:我的 python 版本是:
Python 2.7.5
My python-iptables version is:我的 python-iptables 版本是:
python-iptables 0.12.0
I can successfully run "iptables -L" as a non-root user but I cannot successfully run iptc python commands as a non-root user.我可以以非 root 用户身份成功运行“iptables -L”,但无法以非 root 用户身份成功运行 iptc python 命令。
Is there any other way to give my python script capabilities or is it related to the iptc code?有没有其他方法可以提供我的 python 脚本功能,或者它与 iptc 代码有关?
Could it be failing because it requires additional capabilities?它会因为需要额外的功能而失败吗?
run python with sudo or run this python under superuser credentials.使用 sudo 运行 python 或在超级用户凭据下运行此 python。 Because iptables requires (sudo) superuser credentials.
因为 iptables 需要 (sudo) 超级用户凭据。
for example: sudo python test.py
例如:
sudo python test.py
iptc is not shell'ing out to run iptables - it's loading the c-bindings directly. iptc 不是为了运行 iptables 而进行的——它是直接加载 c 绑定。 As the script is calling python underneath, you have to give python these capabilities directly.
由于脚本在下面调用 python,因此您必须直接为 python 提供这些功能。
Giving capabilities to python system-wide is not a good idea(tm).在系统范围内为 python 提供功能不是一个好主意 (tm)。 Making a local-copy of python runnable only by the user, with the additional capabilities of cap_raw.net will do the trick.
使 python 的本地副本只能由用户运行,使用 cap_raw.net 的附加功能就可以了。
njl@mymachine:~/myproject $ which python3
/home/njl/bin/python3
njl@mymachine:~/myproject $ getcap ~/bin/python3
/home/njl/bin/python3 cap_net_admin,cap_net_raw=ep
njl@mymachine:~/myproject $ ls -l ~/bin/python3
-rwx------ 1 njl njl 4703672 Jan 7 21:18 /home/njl/bin/python3
njl@mymachine:~/myproject $ ./demo.py
{'INPUT': [], 'FORWARD': [], 'OUTPUT': []}
Sample Code:示例代码:
#!/usr/bin/env python3
import iptc
def dump_iptables():
return iptc.easy.dump_table('filter',ipv6=False)
print(dump_iptables())
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.