Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 29 Nov 2012 19:38:35 +0000
From:      Steve O'Hara-Smith <steve@sohara.org>
To:        Devin Teske <dteske@freebsd.org>
Cc:        Eugen Konkov <kes-kes@yandex.ru>, Devin Teske <devin.teske@fisglobal.com>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: How to allow httpd to run 'ipfw table 7 add ... '
Message-ID:  <20121129193835.8896ea0d.steve@sohara.org>
In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
References:  <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is a multi-part message in MIME format.

--Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.teske@fisglobal.com> wrote:

> 
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
> 
> > Hi.
> > 
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> > 
> 
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo

	This is not very secure for this purpose - see below.

> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
> 
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
> 
> That will allow the apache user to do things like:
> 
> 	sudo ipfw table 7 add …

	The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.

-- 
Steve O'Hara-Smith <steve@sohara.org>

--Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Date: Thu, 29 Nov 2012 07:37:49 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: Devin Teske <dteske@freebsd.org>
Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov
 <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
Message-Id: <20121129073749.d9a3a712.steve@sohara.org>
In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
References: <8310543741.20121129054846@yandex.ru>
	<BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Sylpheed-Account-Id: 1
X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929
X-Sylpheed-Compose-AutoWrap: FALSE

On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.teske@fisglobal.com> wrote:

> 
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
> 
> > Hi.
> > 
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> > 
> 
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo

	This is not very secure for this purpose - see below.

> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
> 
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
> 
> That will allow the apache user to do things like:
> 
> 	sudo ipfw table 7 add …

	The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.

-- 
Steve O'Hara-Smith <steve@sohara.org>

--Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Date: Thu, 29 Nov 2012 19:33:28 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: Devin Teske <dteske@freebsd.org>
Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov
 <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
Message-Id: <20121129193328.4094d6e5.steve@sohara.org>
In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
References: <8310543741.20121129054846@yandex.ru>
	<BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0)
Mime-Version: 1.0
Content-Type: multipart/mixed;
 boundary="Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0"
X-Sylpheed-Account-Id: 1
X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929
X-Sylpheed-Compose-AutoWrap: FALSE

This is a multi-part message in MIME format.

--Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.teske@fisglobal.com> wrote:

> 
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
> 
> > Hi.
> > 
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> > 
> 
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo

	This is not very secure for this purpose - see below.

> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
> 
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
> 
> That will allow the apache user to do things like:
> 
> 	sudo ipfw table 7 add …

	The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.

-- 
Steve O'Hara-Smith <steve@sohara.org>

--Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Date: Thu, 29 Nov 2012 07:37:49 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: Devin Teske <dteske@freebsd.org>
Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov
 <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
Message-Id: <20121129073749.d9a3a712.steve@sohara.org>
In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
References: <8310543741.20121129054846@yandex.ru>
	<BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Sylpheed-Account-Id: 1
X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929
X-Sylpheed-Compose-AutoWrap: FALSE

On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.teske@fisglobal.com> wrote:

> 
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
> 
> > Hi.
> > 
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> > 
> 
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo

	This is not very secure for this purpose - see below.

> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
> 
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
> 
> That will allow the apache user to do things like:
> 
> 	sudo ipfw table 7 add …

	The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.

-- 
Steve O'Hara-Smith <steve@sohara.org>

--Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0--

--Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Date: Thu, 29 Nov 2012 19:36:09 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: Devin Teske <dteske@freebsd.org>
Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov
 <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
Message-Id: <20121129193609.a71d615a.steve@sohara.org>
In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
References: <8310543741.20121129054846@yandex.ru>
	<BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0)
Mime-Version: 1.0
Content-Type: multipart/mixed;
 boundary="Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp"
X-Sylpheed-Account-Id: 1
X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929
X-Sylpheed-Compose-AutoWrap: FALSE

This is a multi-part message in MIME format.

--Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.teske@fisglobal.com> wrote:

> 
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
> 
> > Hi.
> > 
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> > 
> 
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo

	This is not very secure for this purpose - see below.

> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
> 
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
> 
> That will allow the apache user to do things like:
> 
> 	sudo ipfw table 7 add …

	The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.

-- 
Steve O'Hara-Smith <steve@sohara.org>

--Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Date: Thu, 29 Nov 2012 07:37:49 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: Devin Teske <dteske@freebsd.org>
Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov
 <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
Message-Id: <20121129073749.d9a3a712.steve@sohara.org>
In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
References: <8310543741.20121129054846@yandex.ru>
	<BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Sylpheed-Account-Id: 1
X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929
X-Sylpheed-Compose-AutoWrap: FALSE

On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.teske@fisglobal.com> wrote:

> 
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
> 
> > Hi.
> > 
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> > 
> 
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo

	This is not very secure for this purpose - see below.

> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
> 
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
> 
> That will allow the apache user to do things like:
> 
> 	sudo ipfw table 7 add …

	The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.

-- 
Steve O'Hara-Smith <steve@sohara.org>

--Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Date: Thu, 29 Nov 2012 19:33:28 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: Devin Teske <dteske@freebsd.org>
Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov
 <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
Message-Id: <20121129193328.4094d6e5.steve@sohara.org>
In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
References: <8310543741.20121129054846@yandex.ru>
	<BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0)
Mime-Version: 1.0
Content-Type: multipart/mixed;
 boundary="Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0"
X-Sylpheed-Account-Id: 1
X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929
X-Sylpheed-Compose-AutoWrap: FALSE

This is a multi-part message in MIME format.

--Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.teske@fisglobal.com> wrote:

> 
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
> 
> > Hi.
> > 
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> > 
> 
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo

	This is not very secure for this purpose - see below.

> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
> 
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
> 
> That will allow the apache user to do things like:
> 
> 	sudo ipfw table 7 add …

	The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.

-- 
Steve O'Hara-Smith <steve@sohara.org>

--Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Date: Thu, 29 Nov 2012 07:37:49 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: Devin Teske <dteske@freebsd.org>
Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov
 <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
Message-Id: <20121129073749.d9a3a712.steve@sohara.org>
In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
References: <8310543741.20121129054846@yandex.ru>
	<BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Sylpheed-Account-Id: 1
X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929
X-Sylpheed-Compose-AutoWrap: FALSE

On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.teske@fisglobal.com> wrote:

> 
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
> 
> > Hi.
> > 
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> > 
> 
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo

	This is not very secure for this purpose - see below.

> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this:
> 
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
> 
> That will allow the apache user to do things like:
> 
> 	sudo ipfw table 7 add …

	The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command.

-- 
Steve O'Hara-Smith <steve@sohara.org>

--Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0--

--Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp--

--Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20121129193835.8896ea0d.steve>