How to allow httpd to run 'ipfw table 7 add ... '

Steve O'Hara-Smith steve at sohara.org
Thu Nov 29 20:34:35 UTC 2012 

On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.teske at fisglobal.com> wrote:

> 
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
> 
> > Hi.
> > 
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> > 
> 
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo

	This is not very secure for this purpose - see below.

> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
> 
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
> 
> That will allow the apache user to do things like:
> 
> 	sudo ipfw table 7 add …

	The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.

-- 
Steve O'Hara-Smith <steve at sohara.org>
-------------- next part --------------
An embedded message was scrubbed...
From: Steve O'Hara-Smith <steve at sohara.org>
Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
Date: Thu, 29 Nov 2012 07:37:49 +0000
Size: 2038
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20121129/671c570d/attachment.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: Steve O'Hara-Smith <steve at sohara.org>
Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
Date: Thu, 29 Nov 2012 19:33:28 +0000
Size: 4469
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20121129/671c570d/attachment-0001.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: Steve O'Hara-Smith <steve at sohara.org>
Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
Date: Thu, 29 Nov 2012 19:36:09 +0000
Size: 9054
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20121129/671c570d/attachment-0002.mht>

More information about the freebsd-questions mailing list