Date: Wed, 28 Nov 2012 20:09:03 -0800 From: Devin Teske <devin.teske@fisglobal.com> To: Eugen Konkov <kes-kes@yandex.ru> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-ID: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> In-Reply-To: <8310543741.20121129054846@yandex.ru> References: <8310543741.20121129054846@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > Hi. >=20 > How to allow httpd to run this command 'ipfw table 7 add ... '? >=20 imho the most secure way is to add an entry to sudoers(5) (you can use visu= do(8) to edit sudoers(5)) allowing the apache privilege-separation user (ww= w? we use apache here -- check your httpd.conf for "User") to execute that = specific command without a password. The entry might look something like th= is: apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw That will allow the apache user to do things like: sudo ipfw table 7 add =85 because sudo will allow password-less privilege escalation to root (but onl= y for ipfw, nothing else, for security reasons naturally). --=20 Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA>