How to allow httpd to run 'ipfw table 7 add ... '
Devin Teske
devin.teske at fisglobal.com
Thu Nov 29 21:12:22 UTC 2012
On Nov 29, 2012, at 11:38 AM, Steve O'Hara-Smith wrote:
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske at fisglobal.com> wrote:
>
>>
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>
>>> Hi.
>>>
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>
>>
>> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
>
> This is not very secure for this purpose - see below.
>
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
>>
>> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>>
>> That will allow the apache user to do things like:
>>
>> sudo ipfw table 7 add …
>
> The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.
>
So create a wrapper and only allow access to the wrapper.
Alternatively, you could research FoxT (previously known as BoKS), which allows you to not only lock down which commands can be executed by which arguments are passable.
That being said, I think a wrapper is the simpler approach. It might look something like this:
=== FILE: apache_ipfw.sh ===
#!/bin/sh
# args sent direct to ipfw, so we must check args
case "$1" in
table) : fall thru ;;
*) exit 1
esac
sudo ipfw "$@"
=== END FILE ===
--
Devin
> From: Steve O'Hara-Smith <steve at sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 28, 2012 11:37:49 PM PST
> To: Devin Teske <dteske at freebsd.org>
> Cc: Devin Teske <devin.teske at fisglobal.com>, Eugen Konkov <kes-kes at yandex.ru>, FreeBSD Questions <freebsd-questions at freebsd.org>
>
>
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske at fisglobal.com> wrote:
>
>>
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>
>>> Hi.
>>>
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>
>>
>> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
>
> This is not very secure for this purpose - see below.
>
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
>>
>> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>>
>> That will allow the apache user to do things like:
>>
>> sudo ipfw table 7 add …
>
> The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.
>
> --
> Steve O'Hara-Smith <steve at sohara.org>
>
>
>
> From: Steve O'Hara-Smith <steve at sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 29, 2012 11:33:28 AM PST
> To: Devin Teske <dteske at freebsd.org>
> Cc: Devin Teske <devin.teske at fisglobal.com>, Eugen Konkov <kes-kes at yandex.ru>, FreeBSD Questions <freebsd-questions at freebsd.org>
>
>
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske at fisglobal.com> wrote:
>
>>
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>
>>> Hi.
>>>
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>
>>
>> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
>
> This is not very secure for this purpose - see below.
>
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
>>
>> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>>
>> That will allow the apache user to do things like:
>>
>> sudo ipfw table 7 add …
>
> The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.
>
> --
> Steve O'Hara-Smith <steve at sohara.org>
>
> From: Steve O'Hara-Smith <steve at sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 28, 2012 11:37:49 PM PST
> To: Devin Teske <dteske at freebsd.org>
> Cc: Devin Teske <devin.teske at fisglobal.com>, Eugen Konkov <kes-kes at yandex.ru>, FreeBSD Questions <freebsd-questions at freebsd.org>
>
>
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske at fisglobal.com> wrote:
>
>>
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>
>>> Hi.
>>>
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>
>>
>> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
>
> This is not very secure for this purpose - see below.
>
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
>>
>> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>>
>> That will allow the apache user to do things like:
>>
>> sudo ipfw table 7 add …
>
> The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.
>
> --
> Steve O'Hara-Smith <steve at sohara.org>
>
>
>
>
>
> From: Steve O'Hara-Smith <steve at sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 29, 2012 11:36:09 AM PST
> To: Devin Teske <dteske at freebsd.org>
> Cc: Devin Teske <devin.teske at fisglobal.com>, Eugen Konkov <kes-kes at yandex.ru>, FreeBSD Questions <freebsd-questions at freebsd.org>
>
>
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske at fisglobal.com> wrote:
>
>>
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>
>>> Hi.
>>>
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>
>>
>> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
>
> This is not very secure for this purpose - see below.
>
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
>>
>> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>>
>> That will allow the apache user to do things like:
>>
>> sudo ipfw table 7 add …
>
> The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.
>
> --
> Steve O'Hara-Smith <steve at sohara.org>
>
> From: Steve O'Hara-Smith <steve at sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 28, 2012 11:37:49 PM PST
> To: Devin Teske <dteske at freebsd.org>
> Cc: Devin Teske <devin.teske at fisglobal.com>, Eugen Konkov <kes-kes at yandex.ru>, FreeBSD Questions <freebsd-questions at freebsd.org>
>
>
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske at fisglobal.com> wrote:
>
>>
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>
>>> Hi.
>>>
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>
>>
>> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
>
> This is not very secure for this purpose - see below.
>
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
>>
>> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>>
>> That will allow the apache user to do things like:
>>
>> sudo ipfw table 7 add …
>
> The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.
>
> --
> Steve O'Hara-Smith <steve at sohara.org>
>
>
>
> From: Steve O'Hara-Smith <steve at sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 29, 2012 11:33:28 AM PST
> To: Devin Teske <dteske at freebsd.org>
> Cc: Devin Teske <devin.teske at fisglobal.com>, Eugen Konkov <kes-kes at yandex.ru>, FreeBSD Questions <freebsd-questions at freebsd.org>
>
>
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske at fisglobal.com> wrote:
>
>>
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>
>>> Hi.
>>>
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>
>>
>> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
>
> This is not very secure for this purpose - see below.
>
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
>>
>> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>>
>> That will allow the apache user to do things like:
>>
>> sudo ipfw table 7 add …
>
> The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.
>
> --
> Steve O'Hara-Smith <steve at sohara.org>
>
> From: Steve O'Hara-Smith <steve at sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 28, 2012 11:37:49 PM PST
> To: Devin Teske <dteske at freebsd.org>
> Cc: Devin Teske <devin.teske at fisglobal.com>, Eugen Konkov <kes-kes at yandex.ru>, FreeBSD Questions <freebsd-questions at freebsd.org>
>
>
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske at fisglobal.com> wrote:
>
>>
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>
>>> Hi.
>>>
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>
>>
>> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
>
> This is not very secure for this purpose - see below.
>
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
>>
>> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>>
>> That will allow the apache user to do things like:
>>
>> sudo ipfw table 7 add …
>
> The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.
>
> --
> Steve O'Hara-Smith <steve at sohara.org>
>
>
>
>
>
>
_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
More information about the freebsd-questions
mailing list