Open Stack

Actually, my earlier suggestion of the suid will be a bit overkill for
this.

what you can do in the cmd part is insert the port and some other
information(timestamp) to some database .. mysql/sqlite etc .. so that you
also have a record of it .. and then run a python/shell cron or process
that watches the database and runs the iptables command for you.

Cheers,
Shashi


On Thu, Jun 12, 2014 at 12:59 PM, 苌智 <changzhi1990 at gmail.com> wrote:

> I want to Horizon execute iptables shell. But Only root user can execute
> iptables command . What should I do if I want to execute the code by user
> apache rather than root? This is command to execute iptables command.
> Could someone give me some advice? Thanks a lot!
>
> import subprocess
> def check_output(*popenargs, **kwargs):
>     if 'stdout' in kwargs:
>         raise ValueError('stdout argument not allowed, it will be overridden.')
>     process = subprocess.Popen(stdout=subprocess.PIPE, *popenargs, **kwargs)
>     output, unused_err = process.communicate()
>     retcode = process.poll()
>     if retcode:
>         cmd = kwargs.get("args")
>         if cmd is None:
>             cmd = popenargs[0]
>         raise subprocess.CalledProcessError(retcode, cmd)
>     return output
>
> def accept_port(port):
>     try:
>         cmd = r"iptables -A INPUT -p tcp --dport {0} -j ACCEPT && iptables -A OUTPUT -p tcp --sport {0} -j ACCEPT".format(port)
>         output = check_output(cmd, shell=True)
>         return True
>     except Exception:
>         return False
> if __name__ == "__main__":
>     accept_port(1234)
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>


-- 


Cheers,
Sashi Dahal

http://shashi.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140612/75c4bab1/attachment.html>