Date: Mon, 14 Oct 2002 16:12:36 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Jens Rehsack <rehsack@liwing.de> Cc: Patrick Holahan <patrick@sdn.co.za>, questions@FreeBSD.ORG Subject: Re: Running ipfw from a webpage/using php. Message-ID: <20021014151236.GB49638@happy-idiot-talk.infracaninophi> In-Reply-To: <3DAADA8B.55767D3A@liwing.de> References: <010101c2738e$ffcd2560$ec9e1ec4@staff.uunet.co.za> <3DAADA8B.55767D3A@liwing.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 14, 2002 at 04:54:03PM +0200, Jens Rehsack wrote:
> Patrick Holahan wrote:
> > I need to run a root command (ipfw) from apache through php. (Yes, this is
> > not very secure and I'm aware of this and if anyone has any better
> > suggestions, please feel free to make them.)
> is that the function you search:
> string exec ( string command [, array output [, int return_var]])
That will run as the UID of the webserver, usually www, which won't be
very useful for doing stuff with ipfw.
I'd grab sudo(8) or one of the alternatives from ports and very
carefully craft a /usr/local/etc/sudoers file that lets the www UID
run a specific ipfw command line without giving a password. Be very
careful not to let the www UID make arbitrary changes to your firewall
or you will discover the true meaning of pain in very short order.
Remember to add www to the wheel group if you go this way.
Oh, and good luck maintaining the integrity of your machine if you do
implement this. You're going to need it...
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021014151236.GB49638>