PHP to execute sudo command

[Govo]

Hi Folks

Working on a little project for dansguardian and squid3, mostly dansguardian,  but have ran into a problem,  is there away for PHP to execute sudo command.

I need to execute  /etc/init.d/dansguardian restart using PHP, I have seen the command in some php files in lmce-admin, but I just  can't get it to work. do I need to include some files belonging to LMCE?

Once I get pass this part my project will rolling, here is a quick video of what I have achieved so far

https://www.dropbox.com/sh/b4kwchpa153e6sr/AADbS964eH9DpuBLFCEKSON6a?dl=0

I have made some changes since this video..etc added in a delete button to remove blocked sites.

Any help would be great,
Govo

[Marie.O]

sudo isn't allowed from php for everything.

Look at /etc/sudoers to understand what is possible, and what is not. In general, it makes sense to put a bash script into a well known place and use that for whatever is needed.

[Govo]

Ah spot on, done some research last night and got it to work, just need to figure out why the page returns an error of no response back from server.

other than that, the project goes. on.

I can now update  blocked sites, added exceptional Ip address and allow  exceptional file types such as .mp3 .zip.

Thanks for the advice Posde much appreciated

Gov.

[Marie.O]

yvw - thanks for working on LinuxMCE

[phenigma]

fyi all, we're in the AgoControl section here.  But just wanted to add that in LinuxMCE apache will permit script execution from the /usr/pluto/bin directory.  Put your scripts there and they will be executable from php under apache.

J.

[Govo]

Hi Posde & Phenigma

Thanks for the replies.

The problem wasn't the PHP script, you had to allow access in the visudo  ( Posde thanks for pointing me in right the direction ), according to a topic on the the internet the permission is


# Cmnd alias specification
Cmnd_Alias DANSGUARDIAN = /etc/init.d/dansguardian, /usr/sbin/dansguardian

# User privilege specification
root ALL=(ALL) ALL
www-data ALL=NOPASSWD: DANSGUARDIAN
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%www-data ALL=NOPASSWD: DANSGUARDIAN

This allowed PHP to executed the command to restart DansGuardian.

You can see it working in this quick video, to get around the error of no response received from the server after submitting the command,  I put in a 10 second delay, and  then a finish button to bring you back home.

https://www.dropbox.com/s/mv2m300lhf0rjf8/videoclip2%20DansGuardian%20restart.mp4?dl=0


In order for the PHP scripts to work,  visudo has to be edited with the above code, writes access given to the dansguardian LISTS folder.

I have written a  PHP script to check if the database exists, if not, create the database and import the tables.

Here's a short video of it creating the database and then importing the sql file

https://www.dropbox.com/s/vh83kyopg86sxkl/databaseimportandcreate.mp4?dl=0

I am working on this as a plugin, it has its own folder inside  the /var/www/lmce-admin, this allows me to move it to any version of LMCE, the only cache is, DansGuardian and squid3 have to be installed first and some editing done to the IP-tables.


On that note, thanks for the replies I will keep you posted!


Gov.

[phenigma]

Govo this *REALLY* awesome stuff!  The current proxy/filter menu items are hidden if the lmce packages are not installed.  Alblasco has been working on the firewall stuff and has some things prepared but I'm not sure how much.  It'd be really great if you could get together with him in IRC and work out any remaining issues

I know next to nothing about iptables but let me know if I can help in the install/packaging department to bring this to everyone! 

Thanks for working on LinuxMCE btw!!

J.

[Govo]

Hi phenigma

No problem at all, I will try and hook up in IRC, it would great if the LMCE users went this, I am offer this for free when I am finish.

What I got done to day is added in the categories to database  and then allow them to be enabled through buttons,  tomorrow I will finish this section off so that it updates the DSG. this was  huge file to get in!

Check this short video clip.

https://www.dropbox.com/s/fdu4cakckxp5hrx/categories.mp4?dl=0

I have also found away to disable filtering and enable it again, but it brings me back visudo to get the command to executed, I go at that tomorrow.

Time to call it night for now  !


Cheers Gov

[Govo]

Hi Folks

First, I would like to say to Alblasco well done on working on the web-filter and proxy, I had a look at your php scripts and to be honest, they are way to complicated for my PHP skills, but great work tough,  I really need to understand global php verbs.!

I have done great progress in my own project, have fully understood how to execute  sudo commands in PHP, Phenigma, /usr/pluto/bin  is the correct place for .sh files, thanks for the advice.

On that Note..let me get to were  it is.

I can now disable & enable categories .ie blacklist folder,  I can disable and enable the filtering on & off for the system at the click of button, great for when you are web designing and stuff.

So the project is going so good,  with a click of a button I can

Blocked & delete websites 
Add & delete exception IP address
Add & delete exceptional file types
Add & delete  allowed websites
Enabled & disable Categories  .ie blacklist

Check out the this short video clip to  see it in action. https://www.dropbox.com/s/scxmtf8datd2t1m/enable%20and%20disable%20filters%20%20plus%20categories.mp4?dl=0


In the video I didn't update DansGurdian on the categories section as some of the blacklist files are missing, and in return DansGurdian won't restart as it cannot include the files.

I have updated the blacklist folder from the below url  this even and after extracting more files and folders  are missing.
http://urlblacklist.com/cgi-bin/commercialdownload.pl?type=download&file=bigblacklist

When testing this morning I was only missing the below list , but after updating some of them are back and some of them are gone.

Adult
childcare
forums
Publicite
redirector
ringtones
Violence
virus Infected

So if anyone has a full list/backup please zip it and give me a link to download them so I can fully test it, I would be great full.


To do
Allow time access
Import MD IP address to the exception IP address from the pluto_main database.
Create an Android app for access to the site, for now the browser works well
Add login and password box.

Overall its going good and thanks for reading ...!

Gov

[Govo]

Hi Folks

Just given a quick update.

In the video I didn't update DansGurdian on the categories section as some of the blacklist files are missing, and in return DansGurdian won't restart as it cannot include the files.

I have updated the blacklist folder from the below url  this even and after extracting more files and folders  are missing.
http://urlblacklist.com/cgi-bin/commercialdownload.pl?type=download&file=bigblacklist

Update,  I have put in check  to see if the folder exist, if the folder doesn't highlight in RED warning else give a green tick that every is OK to enable

see screen shot here https://www.dropbox.com/s/3dolzlwtweh6520/category%20warning%20.png?dl=0

Update 2
I have now added in a new section to add categories to the database, so if you are updating from http://urlblacklist.com ensure to check their live list taken from the category description file in the last build of the blacklist, if you missing some just add the name  of  the one missing, it will create it and save it as disabled by default.

screen shot here  https://www.dropbox.com/s/5er1oao9k8sv4rc/addcategory.png?dl=0


Update 3

Import MD IP address to the exception IP address from the pluto_main database.

I have now got this to import MD IP address on first setup.



Cheers
Gov!

[Govo]

Sneak preview of DansGuardian config file,  https://www.dropbox.com/s/ve728b7qvlfyefs/dnsg%20config%20file.mp4?dl=0

You will be able to update the configuration file in a nice rich PHP format, instead of having use  VI OR Nano  the terminal.

Cheers
Gov!

[Govo]

Hi Folks

I need a big  help Please
 
I have hit a brick wall with this project. I have spent 10 hours googling and try difference access types but have failed to understand why the exception IP List does not  execute.

Basically, the Exception IP file updates with the correct IP address and DNG restarts no errors, but if you visit the blocked website  you have no access even if you are in the exception list.

These are the options I have tried

sudo apt-get remove dansguardian --purge

reinstalled
sudo apt-get install dansguardian

Edited nano /etc/dansguardian/dansguardian.conf

Restarted, added a domain to block via nano under sudo, restarted, domain blocked, edit the exception ip list via nano under sudo, restarted  website allow.

On clean install it works, but if I run my php scripts it creates the file perfectly, but DNG does execute it.

So I decided to  add www-data to sudo group  as the files are owned by root and then made a change using chown www-data:root /etc/dansguardian/lists/exceptioniplist

restart, website still blocked. everything else works fine so far.

So I purge again for 100 hundred time,  this time  I told the dansguardian.conf to pull from /var/www/lmce-admin/dansguardian/exceptioniplist. restarted still blocked.

So I  cp  -r /etc/dansguardian/lists/exceptioniplist /var/www/lmce-admin/dansguardian restarted and it worked.

It seems to be a permission error, if you cp the from /etc/ the permissions are copied across to the /var  allowing the file to be execute.

I  have even tried  adding  it to the sudoers

%sudo ALL=NOPASSWD: /etc/dansguardian/lists/*
%www-data ALL=(root) NOPASSWD: /etc/dansguardian/lists/*

Still no Joy.

Maybe I am doing something,,,, Any help would be great as the wife is doing her nut in with no access to certain sites.

Once this  has the correct file permissions then I can move on.

So Please  Please help!   


Cheers
Gov!

[Marie.O]

Did you compares the rights and ownership information of the files that worked and that do not work?

[Govo]

Hi Posde

Current file permissions shows  http://pastebin.com/HEz97MuQ  and when changed to  www-data for /etc/dansguardian/lists shown here http://pastebin.com/cFvWFDT0

the files get the same write permissions as root, if change www-data for /etc/dansguardian/lists/* all files have the same write permissions.

Even if you  change  it back to chown root:root /etc/dansguardian/lists/* and edit the file via nano and restart, the list does not execute.

Because you have made changes you can't undo  unless you --purge it from the system.


It's head wrecking, checking the file permissions  on the  files that worked, under Bitvise SSH, I see  they have a group ID 0 & owner ID 0 and are set to 644.

I cannot understand why DNG won't allow this file to be executed when written by www-data, www-data is in the same group as root, them only difference I see is the owner ID is 33  not  0

But as stated above, if you change it back it still doesn't work, crazy tough that the bannedsitelist executes without any issues.

Please advise if I am checking the commands right

compgen -u (shows list of users)
compgen -g (shows list of groups)
ls -la  (shows current owner of directory and file permissions)
getent group www-data (returns the below in bold)
www-data:x:33:gov,root

Is there something I am missing


Cheers
Gov!

[Marie.O]

Did you check the syslog files or other files, if DansGuardian actually tells you what's wrong?