On March 25, 2016 9:00:51 PM GMT+01:00, Byron Klippert <[email protected]>
wrote:
>That's it, thanks Tim.
>
>For the record I've got `permit nopass www as root cmd /sbin/pfctl' in
Unless you want the web server to have full control over pf, you really should
add the args directive too the doas rule too.
>doas.conf and the script calls `printf "`doas /sbin/pfctl -sr`"'.
Using printf like that without a format string is very bad practice. Rather,
printf '%s' "$(doas pfctl -sr)"
With ksh however, I'd use builtins:
print -r -- "$(doas pfctl -sr)"
, both of which by the way is a totally pointless way of just doing
doas pfctl -sr
>
>Seems to work.
That's a good start, but maybe shouldn't be the sole basis for considering the
task done.
/Alexander
>
>
>On Fri, Mar 25, 2016, at 12:31, Tim van der Molen wrote:
>> Byron Klippert (2016-03-25 18:37 +0100):
>> > CGI script:
>> > #!/bin/ksh
>> > printf "Content-type: text/html\n\n"
>> > printf "Hello!\n"
>> > printf "\n"
>> > printf "`doas pfctl -sr`"
>> > ^^^^
>> >
>> > doas.conf:
>> > permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
>> > permit nopass www as root cmd /sbin/pfctl
>> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> >
>> > httpd debug output:
>> > doas:
>> > Operation not permitted
>>
>> You have "/sbin/pfctl" in doas.conf, so you should do "doas
>/sbin/pfctl"
>> rather than "doas pfctl".
