Re: Re[2]: How to allow httpd to run 'ipfw table 7 add ... '
On Thu, 29 Nov 2012 23:03:08 +0200 Eugen Konkov kes-...@yandex.ru wrote: Здравствуйте, Steve. SOHS The only problem with this is it will allow apache to SOHS do anything with ipfw including flush all of the rules. I would SOHS suggest having apache dumping the parameters of the command to SOHS be run into a queue of some kind (named pipe perhaps or a file SOHS based queue if it's important to survive shutdowns) and have a SOHS process reading the queue, sanity checking the parameters and SOHS then executing the appropriate command. maybe: apache host=(root) NOPASSWD: /my/script/add_table.pl apache host=(root) NOPASSWD: /my/script/del_table.pl this will restrict apache to run only add/del tasks with table. what do you think? That also works. I have a slight preference for queue based approaches but that's just me really. -- Steve O'Hara-Smith st...@sohara.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
How to allow httpd to run 'ipfw table 7 add ... '
Hi. How to allow httpd to run this command 'ipfw table 7 add ... '? -- Eugen mailto:kes-...@yandex.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to allow httpd to run 'ipfw table 7 add ... '
On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: Hi. How to allow httpd to run this command 'ipfw table 7 add ... '? imho the most secure way is to add an entry to sudoers(5) (you can use visudo(8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for User) to execute that specific command without a password. The entry might look something like this: apache ALL=(ALL) NOPASSWD: /sbin/ipfw That will allow the apache user to do things like: sudo ipfw table 7 add … because sudo will allow password-less privilege escalation to root (but only for ipfw, nothing else, for security reasons naturally). -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org