Start a bash script later in PHP

Question

I'm trying to start a bash script later in PHP so I allowed it in visudo.

www-data ALL = (root) NOPASSWD: /sbin/iptables
www-data ALL = (root) NOPASSWD: /usr/bin/at

The script removeuserIP is just doing sudo iptables ... and is working:

#!/bin/bash
sudo iptables -t nat -D PREROUTING -s $1 -j ACCEPT;
sudo iptables -D FORWARD -s $1 -j ACCEPT;

and in the PHP code, I put this line:

$msg=exec("echo /var/www/scripts/removeuserIP $ipaddress | at now + 1 minutes");

but the issue is it's starting the script right now. I checked in /log/var/auth.log and indeed, it's starting the command right now.

I tried it in a terminal directly and there was no issue, it is starting later (with an argument of course):

echo /var/www/scripts/removeuserIP $ipaddress | at now + 1 minutes

I also tried to do it like this in a terminal but this one is not working too because it doesn't understand there is an argument for the file:

sudo at now +1 minutes -f /var/www/scripts/removeuserIP 172.24.1.115

I really don't understand why it is starting right now even if it should start 1 minute later and not now.

Answer 1

Solution: Finally, after checking /var/log/apache2/error.log, I saw that it doesn't have the permission to use at.

In fact you have to go /etc/at.deny and remove the line www-date with at. There is probably a security reason for why it's forbidden by default and a better way to do this, but at least it's working.

Answer 2

Would it be acceptable to put a time delay in removeuserIP script?

#!/bin/bash
sleep 1m
sudo iptables -t nat -D PREROUTING -s $1 -j ACCEPT;
sudo iptables -D FORWARD -s $1 -j ACCEPT;