Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Nov 2012 20:09:03 -0800
From:      Devin Teske <>
To:        Eugen Konkov <>
Cc:        FreeBSD Questions <>
Subject:   Re: How to allow httpd to run 'ipfw table 7 add ... '
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:

> Hi.
> How to allow httpd to run this command 'ipfw table 7 add ... '?

imho the most secure way is to add an entry to sudoers(5) (you can use visu=
do(8) to edit sudoers(5)) allowing the apache privilege-separation user (ww=
w? we use apache here -- check your httpd.conf for "User") to execute that =
specific command without a password. The entry might look something like th=

apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw

That will allow the apache user to do things like:

	sudo ipfw table 7 add =85

because sudo will allow password-less privilege escalation to root (but onl=
y for ipfw, nothing else, for security reasons naturally).

The information contained in this message is proprietary and/or confidentia=
l. If you are not the intended recipient, please: (i) delete the message an=
d all copies; (ii) do not disclose, distribute or use the message in any ma=
nner; and (iii) notify the sender immediately. In addition, please be aware=
 that any message addressed to our domain is subject to archiving and revie=
w by persons other than the intended recipient. Thank you.

Want to link to this message? Use this URL: <>