Running tcpdump from web page

Hi everyone, I am trying to do a simple pcap from a web page and am not having success.

Using visudo, I have added the following 2 lines at the end

www-data ALL=(testuser)  NOPASSWD: /usr/sbin/*tcpdump*
testuser ALL= NOPASSWD: /usr/sbin/tcpdump*

My php page contains

echo "Current user is: " . get_current_user()."<br>";
echo exec('sudo -u testuser timeout 5 tcpdump -w /var/www/html/temp/testing.pcap');

When I run this from the web page, the Current user comes back as www-data but it does not capture. It complains about not having permissions

When I run the same php page from command line, the capture is good and I do not have to enter any root password.

This is on an ubuntu server 18 system using php 7.x

But when you run it from command line, are you running it from the www-data user? My guess is that you are using some kind of user or root account. Does www-data have access to /var/www/html/temp/testing.pcap and is it capturing to a directory that also has write permission for www-data?

Try logging in as www-data and see if you can write to the places your capture needs to write to. It sounds like a simple permissions issue to me.

1 Like

or sudoing as, anyway.

i’m not 100% sure that sudoers file looks right… the spacing concerns me, as does testuser’s lack of a runas.

But when you run it from command line, are you running it from the www-data user?

No, I am logged in as testuser

Does www-data have access to /var/www/html/temp/testing.pcap and is it capturing to a directory that also has write permission for www-data?

Yes, www-data has write permissions to that folder. I can create and edit files within that folder from web pages.

Try logging in as www-data

I don;t know what the default password would be. Apache is the one that assigns username www-data but I can;t find what the default password is.

i’m not 100% sure that sudoers file looks right

Thanks. I fixed the spacing but still have the same problem.

The reason why I use the line
www-data ALL=(testuser) NOPASSWD: /usr/sbin/*tcpdump*
is to have user www-data run as testuser but this is not working from the webpage

Or maybe there is another method to run tcpdump from a web page?

Not generally, because running programs from a web interface is an open invitation to DDoS your server (“You mean I can make your computer do a command at whim by opening a webpage? What if i open 100,000 webpages all at once?”). But I digress.

Random google searches did turn up a comment to make sure you don’t have a requiretty directive in the sudoers file…

Is your server error log saying anything?

Just complaining about lack of permissions for user www-data

I will check to see if running this as a cronjob with specifying a user in crontab would work

Here’s what I did to make it work under ubuntu 18

Edit visudo and change
%sudo ALL=(ALL:ALL)

to
%sudo ALL=(ALL:ALL) NOPASSWD: ALL

PHP script should be
exec('sudo timeout 5 tcpdump -w /var/www/html/temp/test.pcap');