How to allow httpd to run 'ipfw table 7 add ... '
Eugen Konkov
kes-kes at yandex.ru
Thu Nov 29 21:03:16 UTC 2012
Здравствуйте, Steve.
Вы писали 29 ноября 2012 г., 21:38:35:
SOHS> On Wed, 28 Nov 2012 20:09:03 -0800
SOHS> Devin Teske <devin.teske at fisglobal.com> wrote:
>>
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>
>> > Hi.
>> >
>> > How to allow httpd to run this command 'ipfw table 7 add ... '?
>> >
>>
>> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
SOHS> This is not very secure for this purpose - see below.
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
>>
>> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>>
>> That will allow the apache user to do things like:
>>
>> sudo ipfw table 7 add …
SOHS> The only problem with this is it will allow apache to
SOHS> do anything with ipfw including flush all of the rules. I would
SOHS> suggest having apache dumping the parameters of the command to
SOHS> be run into a queue of some kind (named pipe perhaps or a file
SOHS> based queue if it's important to survive shutdowns) and have a
SOHS> process reading the queue, sanity checking the parameters and
SOHS> then executing the appropriate command.
maybe:
apache host=(root) NOPASSWD: /my/script/add_table.pl
apache host=(root) NOPASSWD: /my/script/del_table.pl
this will restrict apache to run only add/del tasks with table.
what do you think?
--
С уважением,
Eugen mailto:kes-kes at yandex.ru
More information about the freebsd-questions
mailing list