Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 29 Nov 2012 13:12:18 -0800
From:      Devin Teske <devin.teske@fisglobal.com>
To:        "Steve O'Hara-Smith" <steve@sohara.org>
Cc:        Eugen Konkov <kes-kes@yandex.ru>, Devin Teske <dteske@freebsd.org>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: How to allow httpd to run 'ipfw table 7 add ... '
Message-ID:  <FB3AE5A0-117A-4C42-A159-4677B982E176@fisglobal.com>
In-Reply-To: <20121129193835.8896ea0d.steve@sohara.org>
References:  <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> <20121129193835.8896ea0d.steve@sohara.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Nov 29, 2012, at 11:38 AM, Steve O'Hara-Smith wrote:

> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske@fisglobal.com> wrote:
>=20
>>=20
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>=20
>>> Hi.
>>>=20
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>=20
>>=20
>> imho the most secure way is to add an entry to sudoers(5) (you can use v=
isudo
>=20
> 	This is not very secure for this purpose - see below.
>=20
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w=
ww? we use apache here -- check your httpd.conf for "User") to execute that=
 specific command without a password. The entry might look something like t=
his:
>>=20
>> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw
>>=20
>> That will allow the apache user to do things like:
>>=20
>> 	sudo ipfw table 7 add =85
>=20
> 	The only problem with this is it will allow apache to do anything with i=
pfw including flush all of the rules. I would suggest having apache dumping=
 the parameters of the command to be run into a queue of some kind (named p=
ipe perhaps or a file based queue if it's important to survive shutdowns) a=
nd have a process reading the queue, sanity checking the parameters and the=
n executing the appropriate command.
>=20

So create a wrapper and only allow access to the wrapper.

Alternatively, you could research FoxT (previously known as BoKS), which al=
lows you to not only lock down which commands can be executed by which argu=
ments are passable.

That being said, I think a wrapper is the simpler approach. It might look s=
omething like this:

=3D=3D=3D FILE: apache_ipfw.sh =3D=3D=3D
#!/bin/sh
# args sent direct to ipfw, so we must check args
case "$1" in
table) : fall thru ;;
*) exit 1
esac
sudo ipfw "$@"
=3D=3D=3D END FILE =3D=3D=3D

--=20
Devin


> From: Steve O'Hara-Smith <steve@sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 28, 2012 11:37:49 PM PST
> To: Devin Teske <dteske@freebsd.org>
> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex=
.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
>=20
>=20
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske@fisglobal.com> wrote:
>=20
>>=20
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>=20
>>> Hi.
>>>=20
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>=20
>>=20
>> imho the most secure way is to add an entry to sudoers(5) (you can use v=
isudo
>=20
> 	This is not very secure for this purpose - see below.
>=20
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w=
ww? we use apache here -- check your httpd.conf for "User") to execute that=
 specific command without a password. The entry might look something like t=
his:
>>=20
>> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw
>>=20
>> That will allow the apache user to do things like:
>>=20
>> 	sudo ipfw table 7 add =85
>=20
> 	The only problem with this is it will allow apache to do anything with i=
pfw including flush all of the rules. I would suggest having apache dumping=
 the parameters of the command to be run into a queue of some kind (named p=
ipe perhaps or a file based queue if it's important to survive shutdowns) a=
nd have a process reading the queue, sanity checking the parameters and the=
n executing the appropriate command.
>=20
> --=20
> Steve O'Hara-Smith <steve@sohara.org>
>=20
>=20
>=20
> From: Steve O'Hara-Smith <steve@sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 29, 2012 11:33:28 AM PST
> To: Devin Teske <dteske@freebsd.org>
> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex=
.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
>=20
>=20
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske@fisglobal.com> wrote:
>=20
>>=20
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>=20
>>> Hi.
>>>=20
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>=20
>>=20
>> imho the most secure way is to add an entry to sudoers(5) (you can use v=
isudo
>=20
> 	This is not very secure for this purpose - see below.
>=20
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w=
ww? we use apache here -- check your httpd.conf for "User") to execute that=
 specific command without a password. The entry might look something like t=
his:
>>=20
>> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw
>>=20
>> That will allow the apache user to do things like:
>>=20
>> 	sudo ipfw table 7 add =85
>=20
> 	The only problem with this is it will allow apache to do anything with i=
pfw including flush all of the rules. I would suggest having apache dumping=
 the parameters of the command to be run into a queue of some kind (named p=
ipe perhaps or a file based queue if it's important to survive shutdowns) a=
nd have a process reading the queue, sanity checking the parameters and the=
n executing the appropriate command.
>=20
> --=20
> Steve O'Hara-Smith <steve@sohara.org>
>=20
> From: Steve O'Hara-Smith <steve@sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 28, 2012 11:37:49 PM PST
> To: Devin Teske <dteske@freebsd.org>
> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex=
.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
>=20
>=20
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske@fisglobal.com> wrote:
>=20
>>=20
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>=20
>>> Hi.
>>>=20
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>=20
>>=20
>> imho the most secure way is to add an entry to sudoers(5) (you can use v=
isudo
>=20
> 	This is not very secure for this purpose - see below.
>=20
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w=
ww? we use apache here -- check your httpd.conf for "User") to execute that=
 specific command without a password. The entry might look something like t=
his:
>>=20
>> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw
>>=20
>> That will allow the apache user to do things like:
>>=20
>> 	sudo ipfw table 7 add =85
>=20
> 	The only problem with this is it will allow apache to do anything with i=
pfw including flush all of the rules. I would suggest having apache dumping=
 the parameters of the command to be run into a queue of some kind (named p=
ipe perhaps or a file based queue if it's important to survive shutdowns) a=
nd have a process reading the queue, sanity checking the parameters and the=
n executing the appropriate command.
>=20
> --=20
> Steve O'Hara-Smith <steve@sohara.org>
>=20
>=20
>=20
>=20
>=20
> From: Steve O'Hara-Smith <steve@sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 29, 2012 11:36:09 AM PST
> To: Devin Teske <dteske@freebsd.org>
> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex=
.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
>=20
>=20
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske@fisglobal.com> wrote:
>=20
>>=20
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>=20
>>> Hi.
>>>=20
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>=20
>>=20
>> imho the most secure way is to add an entry to sudoers(5) (you can use v=
isudo
>=20
> 	This is not very secure for this purpose - see below.
>=20
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w=
ww? we use apache here -- check your httpd.conf for "User") to execute that=
 specific command without a password. The entry might look something like t=
his:
>>=20
>> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw
>>=20
>> That will allow the apache user to do things like:
>>=20
>> 	sudo ipfw table 7 add =85
>=20
> 	The only problem with this is it will allow apache to do anything with i=
pfw including flush all of the rules. I would suggest having apache dumping=
 the parameters of the command to be run into a queue of some kind (named p=
ipe perhaps or a file based queue if it's important to survive shutdowns) a=
nd have a process reading the queue, sanity checking the parameters and the=
n executing the appropriate command.
>=20
> --=20
> Steve O'Hara-Smith <steve@sohara.org>
>=20
> From: Steve O'Hara-Smith <steve@sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 28, 2012 11:37:49 PM PST
> To: Devin Teske <dteske@freebsd.org>
> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex=
.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
>=20
>=20
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske@fisglobal.com> wrote:
>=20
>>=20
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>=20
>>> Hi.
>>>=20
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>=20
>>=20
>> imho the most secure way is to add an entry to sudoers(5) (you can use v=
isudo
>=20
> 	This is not very secure for this purpose - see below.
>=20
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w=
ww? we use apache here -- check your httpd.conf for "User") to execute that=
 specific command without a password. The entry might look something like t=
his:
>>=20
>> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw
>>=20
>> That will allow the apache user to do things like:
>>=20
>> 	sudo ipfw table 7 add =85
>=20
> 	The only problem with this is it will allow apache to do anything with i=
pfw including flush all of the rules. I would suggest having apache dumping=
 the parameters of the command to be run into a queue of some kind (named p=
ipe perhaps or a file based queue if it's important to survive shutdowns) a=
nd have a process reading the queue, sanity checking the parameters and the=
n executing the appropriate command.
>=20
> --=20
> Steve O'Hara-Smith <steve@sohara.org>
>=20
>=20
>=20
> From: Steve O'Hara-Smith <steve@sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 29, 2012 11:33:28 AM PST
> To: Devin Teske <dteske@freebsd.org>
> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex=
.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
>=20
>=20
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske@fisglobal.com> wrote:
>=20
>>=20
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>=20
>>> Hi.
>>>=20
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>=20
>>=20
>> imho the most secure way is to add an entry to sudoers(5) (you can use v=
isudo
>=20
> 	This is not very secure for this purpose - see below.
>=20
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w=
ww? we use apache here -- check your httpd.conf for "User") to execute that=
 specific command without a password. The entry might look something like t=
his:
>>=20
>> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw
>>=20
>> That will allow the apache user to do things like:
>>=20
>> 	sudo ipfw table 7 add =85
>=20
> 	The only problem with this is it will allow apache to do anything with i=
pfw including flush all of the rules. I would suggest having apache dumping=
 the parameters of the command to be run into a queue of some kind (named p=
ipe perhaps or a file based queue if it's important to survive shutdowns) a=
nd have a process reading the queue, sanity checking the parameters and the=
n executing the appropriate command.
>=20
> --=20
> Steve O'Hara-Smith <steve@sohara.org>
>=20
> From: Steve O'Hara-Smith <steve@sohara.org>
> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... '
> Date: November 28, 2012 11:37:49 PM PST
> To: Devin Teske <dteske@freebsd.org>
> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex=
.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
>=20
>=20
> On Wed, 28 Nov 2012 20:09:03 -0800
> Devin Teske <devin.teske@fisglobal.com> wrote:
>=20
>>=20
>> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>>=20
>>> Hi.
>>>=20
>>> How to allow httpd to run this command 'ipfw table 7 add ... '?
>>>=20
>>=20
>> imho the most secure way is to add an entry to sudoers(5) (you can use v=
isudo
>=20
> 	This is not very secure for this purpose - see below.
>=20
>> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w=
ww? we use apache here -- check your httpd.conf for "User") to execute that=
 specific command without a password. The entry might look something like t=
his:
>>=20
>> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw
>>=20
>> That will allow the apache user to do things like:
>>=20
>> 	sudo ipfw table 7 add =85
>=20
> 	The only problem with this is it will allow apache to do anything with i=
pfw including flush all of the rules. I would suggest having apache dumping=
 the parameters of the command to be run into a queue of some kind (named p=
ipe perhaps or a file based queue if it's important to survive shutdowns) a=
nd have a process reading the queue, sanity checking the parameters and the=
n executing the appropriate command.
>=20
> --=20
> Steve O'Hara-Smith <steve@sohara.org>
>=20
>=20
>=20
>=20
>=20
>=20

_____________
The information contained in this message is proprietary and/or confidentia=
l. If you are not the intended recipient, please: (i) delete the message an=
d all copies; (ii) do not disclose, distribute or use the message in any ma=
nner; and (iii) notify the sender immediately. In addition, please be aware=
 that any message addressed to our domain is subject to archiving and revie=
w by persons other than the intended recipient. Thank you.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?FB3AE5A0-117A-4C42-A159-4677B982E176>