Hi,
I did a little more research on this issue. I can now tell, that
DOSSystemCommand in
general works, like:
DOSSystemCommand "/bin/echo hi >> /tmp/out.txt"
But I'm still not able to generate IPTables-rules with mod-evasive. Here is the
relevant
configuration:
/etc/sudoers
Defaults env_reset
root ALL=(ALL) ALL
www-data ALL=(ALL) NOPASSWD: /sbin/iptables -A INPUT -p tcp --dport 80 -s
[0-9.]* -j DROP
%sudo ALL=(ALL) ALL
/etc/apache2/mods-enabled/mod-evasive.conf
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir "/var/lock/mod_evasive"
DOSSystemCommand "/usr/bin/sudo /sbin/iptables -A INPUT -p tcp --dport 80 -s
%s -j DROP"
</IfModule>
I've strace'd the apache processes, here are relevant parts:
...
2241 execve("/usr/bin/sudo", ["/usr/bin/sudo", "/sbin/iptables", "-A",
"INPUT", "-p", "tcp", "--dport", "80", "-s", "10.211.55.2", "-j", "DROP"],
2241 geteuid32() = 33
2241 write(2, "sudo", 4) = 4
2241 write(2, ": ", 2) = 2
2241 write(2, "must be setuid root", 19) = 19
2241 write(2, "\n", 1) = 1
...
The permissions of /usr/bin/sudo seem ok:
-rwsr-xr-x 2 root root 144740 8. Sep 22:32 /usr/bin/sudo
I am able as user www-data to create the mentioned iptables-rule by hand via
sudo, but it's not possible from apache/mod-evasive :-(
let me know it
Thanks,
Werner
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
