On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
> Hi.
>
> How to allow httpd to run this command 'ipfw table 7 add ... '?
>
imho the most secure way is to add an entry to sudoers(5) (you can use
visudo(8) to edit sudoers(5)) allowing the apache privilege-separation user
(www? we use apache here -- check your httpd.conf for "User") to execute that
specific command without a password. The entry might look something like this:
apache ALL=(ALL) NOPASSWD: /sbin/ipfw
That will allow the apache user to do things like:
sudo ipfw table 7 add …
because sudo will allow password-less privilege escalation to root (but only
for ipfw, nothing else, for security reasons naturally).
--
Devin
_____________
The information contained in this message is proprietary and/or confidential.
If you are not the intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose, distribute or use the message in any manner; and
(iii) notify the sender immediately. In addition, please be aware that any
message addressed to our domain is subject to archiving and review by persons
other than the intended recipient. Thank you.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
