/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
dbm wrote:
> Hi,
>
> I need to modify the ipchains ruleset via web browser. Is there a way to
> do this?
>
> I have tried creating a wrapper that is being executed by a cgi-script but
> I got a security error from httpd log files (error_log) saying "ipchains:
> Permission denied (you must be root)" .
>
> I am using Redhat 7.0. - ipchains 1.3.9.
>
> Any hint or link will be greatly appreciated.
>
> Many thanks,
> Dennis
hint: don't. you must be root to run ipchains for a reason.
if you must do this via a webpage, have it generate the
appropriate script that you can then run later when you have
personally checked it. don't run the script via the web
server. if your web server can access root privileges on
your firewall, you might as well not bother with the
firewall. don't have the web server run as root to get
around this.
if you really, really want to do this against sane advice,
setup a secure web server on a separate host, have your cgi
script generate the script, perhaps test the script with a
dummy version of ipchains that just checks the validity of
its arguments and options and, when it's satisfied that the
script will run with the real ipchains (although you really
should audit the script properly), it places the script in a
special location. the firewall host can then scp the file
over at regular intervals to update itself. before actually
running the script, though, it should mail you for
confirmation, await your signed approval, verify the
signature and then run the script. decoupling the process
in this way will prevent bad people from changing your
firewall for you :)
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
