Date: Thu, 29 Nov 2012 23:03:08 +0200 From: Eugen Konkov <kes-kes@yandex.ru> To: Steve O'Hara-Smith <steve@sohara.org> Cc: Devin Teske <dteske@freebsd.org>, Devin Teske <devin.teske@fisglobal.com>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re[2]: How to allow httpd to run 'ipfw table 7 add ... ' Message-ID: <312952428.20121129230308@yandex.ru> In-Reply-To: <20121129193835.8896ea0d.steve@sohara.org> References: <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> <20121129193835.8896ea0d.steve@sohara.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Здравствуйте, Steve. Вы писали 29 ноября 2012 г., 21:38:35: SOHS> On Wed, 28 Nov 2012 20:09:03 -0800 SOHS> Devin Teske <devin.teske@fisglobal.com> wrote: >> >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >> >> > Hi. >> > >> > How to allow httpd to run this command 'ipfw table 7 add ... '? >> > >> >> imho the most secure way is to add an entry to sudoers(5) (you can use visudo SOHS> This is not very secure for this purpose - see below. >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: >> >> apache ALL=(ALL) NOPASSWD: /sbin/ipfw >> >> That will allow the apache user to do things like: >> >> sudo ipfw table 7 add … SOHS> The only problem with this is it will allow apache to SOHS> do anything with ipfw including flush all of the rules. I would SOHS> suggest having apache dumping the parameters of the command to SOHS> be run into a queue of some kind (named pipe perhaps or a file SOHS> based queue if it's important to survive shutdowns) and have a SOHS> process reading the queue, sanity checking the parameters and SOHS> then executing the appropriate command. maybe: apache host=(root) NOPASSWD: /my/script/add_table.pl apache host=(root) NOPASSWD: /my/script/del_table.pl this will restrict apache to run only add/del tasks with table. what do you think? -- С уважением, Eugen mailto:kes-kes@yandex.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?312952428.20121129230308>