How to allow httpd to run 'ipfw table 7 add ... '
Devin Teske
devin.teske at fisglobal.com
Thu Nov 29 04:09:06 UTC 2012
On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
> Hi.
>
> How to allow httpd to run this command 'ipfw table 7 add ... '?
>
imho the most secure way is to add an entry to sudoers(5) (you can use visudo(8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
apache ALL=(ALL) NOPASSWD: /sbin/ipfw
That will allow the apache user to do things like:
sudo ipfw table 7 add …
because sudo will allow password-less privilege escalation to root (but only for ipfw, nothing else, for security reasons naturally).
--
Devin
_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
More information about the freebsd-questions
mailing list