How to allow httpd to run 'ipfw table 7 add ... '
Steve O'Hara-Smith
steve at sohara.org
Fri Nov 30 10:32:57 UTC 2012
On Thu, 29 Nov 2012 23:03:08 +0200
Eugen Konkov <kes-kes at yandex.ru> wrote:
> Здравствуйте, Steve.
> SOHS> The only problem with this is it will allow apache to
> SOHS> do anything with ipfw including flush all of the rules. I would
> SOHS> suggest having apache dumping the parameters of the command to
> SOHS> be run into a queue of some kind (named pipe perhaps or a file
> SOHS> based queue if it's important to survive shutdowns) and have a
> SOHS> process reading the queue, sanity checking the parameters and
> SOHS> then executing the appropriate command.
>
> maybe:
> apache host=(root) NOPASSWD: /my/script/add_table.pl
> apache host=(root) NOPASSWD: /my/script/del_table.pl
>
> this will restrict apache to run only add/del tasks with table.
> what do you think?
That also works. I have a slight preference for queue based approaches but that's just me really.
--
Steve O'Hara-Smith <steve at sohara.org>
More information about the freebsd-questions
mailing list