Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Oct 2002 08:10:59 +0200
From:      Roman Neuhauser <neuhauser@bellavista.cz>
To:        questions@FreeBSD.ORG
Subject:   Re: Running ipfw from a webpage/using php.
Message-ID:  <20021015061059.GS364@freepuppy.bellavista.cz>
In-Reply-To: <20021014151236.GB49638@happy-idiot-talk.infracaninophi>
References:  <010101c2738e$ffcd2560$ec9e1ec4@staff.uunet.co.za> <3DAADA8B.55767D3A@liwing.de> <20021014151236.GB49638@happy-idiot-talk.infracaninophi>
next in thread | previous in thread | raw e-mail | index | archive | help 
# m.seaman@infracaninophile.co.uk / 2002-10-14 16:12:36 +0100:
> On Mon, Oct 14, 2002 at 04:54:03PM +0200, Jens Rehsack wrote:
> > Patrick Holahan wrote:
> 
> > > I need to run a root command (ipfw) from apache through php. (Yes, this is
> > > not very secure and I'm aware of this and if anyone has any better
> > > suggestions, please feel free to make them.)
> 
> > is that the function you search:
> >   string exec ( string command [, array output [, int return_var]])
> 
> That will run as the UID of the webserver, usually www, which won't be
> very useful for doing stuff with ipfw.
> 
> I'd grab sudo(8) or one of the alternatives from ports and very
> carefully craft a /usr/local/etc/sudoers file that lets the www UID
> run a specific ipfw command line without giving a password.  Be very
> careful not to let the www UID make arbitrary changes to your firewall
> or you will discover the true meaning of pain in very short order.
> Remember to add www to the wheel group if you go this way.

    this is IMO a better solution:

    #!/bin/sh
    [ -f /some/file ] && \
    /your/command && \
    /bin/rm -f /some/file

    /etc/crontab:

    *   *   *   *   *   root    /your/script

    in the php script:

    touch('/some/file');

> Oh, and good luck maintaining the integrity of your machine if you do
> implement this.  You're going to need it...

    not necessarily. implementation dependent. :)

-- 
If you cc me or take the list(s) out completely I'll most likely
ignore your message.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021015061059.GS364>