Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Nov 2012 20:09:03 -0800
From:      Devin Teske <devin.teske@fisglobal.com>
To:        Eugen Konkov <kes-kes@yandex.ru>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: How to allow httpd to run 'ipfw table 7 add ... '
Message-ID:  <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
In-Reply-To: <8310543741.20121129054846@yandex.ru>
References:  <8310543741.20121129054846@yandex.ru>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:

> Hi.
>=20
> How to allow httpd to run this command 'ipfw table 7 add ... '?
>=20

imho the most secure way is to add an entry to sudoers(5) (you can use visu=
do(8) to edit sudoers(5)) allowing the apache privilege-separation user (ww=
w? we use apache here -- check your httpd.conf for "User") to execute that =
specific command without a password. The entry might look something like th=
is:

apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw

That will allow the apache user to do things like:

	sudo ipfw table 7 add =85

because sudo will allow password-less privilege escalation to root (but onl=
y for ipfw, nothing else, for security reasons naturally).
--=20
Devin

_____________
The information contained in this message is proprietary and/or confidentia=
l. If you are not the intended recipient, please: (i) delete the message an=
d all copies; (ii) do not disclose, distribute or use the message in any ma=
nner; and (iii) notify the sender immediately. In addition, please be aware=
 that any message addressed to our domain is subject to archiving and revie=
w by persons other than the intended recipient. Thank you.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA>