On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.te...@fisglobal.com> wrote:
>
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>
> > Hi.
> >
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> >
>
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
This is not very secure for this purpose - see below.
> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www?
> we use apache here -- check your httpd.conf for "User") to execute that
> specific command without a password. The entry might look something like this:
>
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>
> That will allow the apache user to do things like:
>
> sudo ipfw table 7 add …
The only problem with this is it will allow apache to do anything with
ipfw including flush all of the rules. I would suggest having apache dumping
the parameters of the command to be run into a queue of some kind (named pipe
perhaps or a file based queue if it's important to survive shutdowns) and have
a process reading the queue, sanity checking the parameters and then executing
the appropriate command.
--
Steve O'Hara-Smith <st...@sohara.org>
--- Begin Message ---
On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.te...@fisglobal.com> wrote:
>
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>
> > Hi.
> >
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> >
>
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
This is not very secure for this purpose - see below.
> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www?
> we use apache here -- check your httpd.conf for "User") to execute that
> specific command without a password. The entry might look something like this:
>
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>
> That will allow the apache user to do things like:
>
> sudo ipfw table 7 add …
The only problem with this is it will allow apache to do anything with
ipfw including flush all of the rules. I would suggest having apache dumping
the parameters of the command to be run into a queue of some kind (named pipe
perhaps or a file based queue if it's important to survive shutdowns) and have
a process reading the queue, sanity checking the parameters and then executing
the appropriate command.
--
Steve O'Hara-Smith <st...@sohara.org>
--- End Message ---
--- Begin Message ---
On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.te...@fisglobal.com> wrote:
>
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>
> > Hi.
> >
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> >
>
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
This is not very secure for this purpose - see below.
> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www?
> we use apache here -- check your httpd.conf for "User") to execute that
> specific command without a password. The entry might look something like this:
>
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>
> That will allow the apache user to do things like:
>
> sudo ipfw table 7 add …
The only problem with this is it will allow apache to do anything with
ipfw including flush all of the rules. I would suggest having apache dumping
the parameters of the command to be run into a queue of some kind (named pipe
perhaps or a file based queue if it's important to survive shutdowns) and have
a process reading the queue, sanity checking the parameters and then executing
the appropriate command.
--
Steve O'Hara-Smith <st...@sohara.org>
--- Begin Message ---
On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.te...@fisglobal.com> wrote:
>
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>
> > Hi.
> >
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> >
>
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
This is not very secure for this purpose - see below.
> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www?
> we use apache here -- check your httpd.conf for "User") to execute that
> specific command without a password. The entry might look something like this:
>
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>
> That will allow the apache user to do things like:
>
> sudo ipfw table 7 add …
The only problem with this is it will allow apache to do anything with
ipfw including flush all of the rules. I would suggest having apache dumping
the parameters of the command to be run into a queue of some kind (named pipe
perhaps or a file based queue if it's important to survive shutdowns) and have
a process reading the queue, sanity checking the parameters and then executing
the appropriate command.
--
Steve O'Hara-Smith <st...@sohara.org>
--- End Message ---
--- End Message ---
--- Begin Message ---
On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.te...@fisglobal.com> wrote:
>
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>
> > Hi.
> >
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> >
>
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
This is not very secure for this purpose - see below.
> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www?
> we use apache here -- check your httpd.conf for "User") to execute that
> specific command without a password. The entry might look something like this:
>
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>
> That will allow the apache user to do things like:
>
> sudo ipfw table 7 add …
The only problem with this is it will allow apache to do anything with
ipfw including flush all of the rules. I would suggest having apache dumping
the parameters of the command to be run into a queue of some kind (named pipe
perhaps or a file based queue if it's important to survive shutdowns) and have
a process reading the queue, sanity checking the parameters and then executing
the appropriate command.
--
Steve O'Hara-Smith <st...@sohara.org>
--- Begin Message ---
On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.te...@fisglobal.com> wrote:
>
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>
> > Hi.
> >
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> >
>
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
This is not very secure for this purpose - see below.
> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www?
> we use apache here -- check your httpd.conf for "User") to execute that
> specific command without a password. The entry might look something like this:
>
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>
> That will allow the apache user to do things like:
>
> sudo ipfw table 7 add …
The only problem with this is it will allow apache to do anything with
ipfw including flush all of the rules. I would suggest having apache dumping
the parameters of the command to be run into a queue of some kind (named pipe
perhaps or a file based queue if it's important to survive shutdowns) and have
a process reading the queue, sanity checking the parameters and then executing
the appropriate command.
--
Steve O'Hara-Smith <st...@sohara.org>
--- End Message ---
--- Begin Message ---
On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.te...@fisglobal.com> wrote:
>
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>
> > Hi.
> >
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> >
>
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
This is not very secure for this purpose - see below.
> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www?
> we use apache here -- check your httpd.conf for "User") to execute that
> specific command without a password. The entry might look something like this:
>
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>
> That will allow the apache user to do things like:
>
> sudo ipfw table 7 add …
The only problem with this is it will allow apache to do anything with
ipfw including flush all of the rules. I would suggest having apache dumping
the parameters of the command to be run into a queue of some kind (named pipe
perhaps or a file based queue if it's important to survive shutdowns) and have
a process reading the queue, sanity checking the parameters and then executing
the appropriate command.
--
Steve O'Hara-Smith <st...@sohara.org>
--- Begin Message ---
On Wed, 28 Nov 2012 20:09:03 -0800
Devin Teske <devin.te...@fisglobal.com> wrote:
>
> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote:
>
> > Hi.
> >
> > How to allow httpd to run this command 'ipfw table 7 add ... '?
> >
>
> imho the most secure way is to add an entry to sudoers(5) (you can use visudo
This is not very secure for this purpose - see below.
> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www?
> we use apache here -- check your httpd.conf for "User") to execute that
> specific command without a password. The entry might look something like this:
>
> apache ALL=(ALL) NOPASSWD: /sbin/ipfw
>
> That will allow the apache user to do things like:
>
> sudo ipfw table 7 add …
The only problem with this is it will allow apache to do anything with
ipfw including flush all of the rules. I would suggest having apache dumping
the parameters of the command to be run into a queue of some kind (named pipe
perhaps or a file based queue if it's important to survive shutdowns) and have
a process reading the queue, sanity checking the parameters and then executing
the appropriate command.
--
Steve O'Hara-Smith <st...@sohara.org>
--- End Message ---
--- End Message ---
--- End Message ---
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
