From a0cd7d925ea6800725b9063c6c19f61ac7fe9127 Mon Sep 17 00:00:00 2001 From: Myron Blair Date: Sun, 7 Jun 2026 16:05:15 +0000 Subject: [PATCH] Add sudo prefix for firewall cmds; sudoers rule in install.sh www-data needs root to run ufw and fail2ban-client. Added sudo prefix in fw_exec() and a /etc/sudoers.d/novacpx-firewall file (NOPASSWD for specific firewall commands only). install.sh now creates this file on fresh installs. Co-Authored-By: Claude Sonnet 4.6 --- install.sh | 13 +++++++++++++ panel/api/endpoints/firewall.php | 4 +++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/install.sh b/install.sh index f02a8d6..c02ea7e 100644 --- a/install.sh +++ b/install.sh @@ -584,6 +584,19 @@ systemctl enable fail2ban >> "$LOG" 2>&1 systemctl restart fail2ban >> "$LOG" 2>&1 log "Fail2Ban configured" +# ── Sudoers for NovaCPX panel (www-data needs root for firewall/opendkim) ──── +cat > /etc/sudoers.d/novacpx-firewall < /etc/cron.d/novacpx <&1'); return trim($out ?: ''); } @@ -310,7 +312,7 @@ switch ($action) { // ── Fail2Ban: restart ───────────────────────────────────────────────── case 'f2b-restart': - $out = fw_exec('systemctl restart fail2ban 2>&1'); + $out = fw_exec('sudo systemctl restart fail2ban 2>&1'); audit('firewall.f2b-restart', 'fail2ban'); Response::success(['output' => $out], 'Fail2Ban restarted'); break;