From owner-freebsd-questions Mon Oct 14 8:12:45 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3BA237B401 for ; Mon, 14 Oct 2002 08:12:43 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id C32B743EA9 for ; Mon, 14 Oct 2002 08:12:42 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id g9EFCfKg049967; Mon, 14 Oct 2002 16:12:41 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id g9EFCaTr049966; Mon, 14 Oct 2002 16:12:36 +0100 (BST) Date: Mon, 14 Oct 2002 16:12:36 +0100 From: Matthew Seaman To: Jens Rehsack Cc: Patrick Holahan , questions@FreeBSD.ORG Subject: Re: Running ipfw from a webpage/using php. Message-ID: <20021014151236.GB49638@happy-idiot-talk.infracaninophi> References: <010101c2738e$ffcd2560$ec9e1ec4@staff.uunet.co.za> <3DAADA8B.55767D3A@liwing.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3DAADA8B.55767D3A@liwing.de> User-Agent: Mutt/1.5.1i X-Spam-Status: No, hits=-14.1 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_01_02, USER_AGENT,USER_AGENT_MUTT version=2.41 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Oct 14, 2002 at 04:54:03PM +0200, Jens Rehsack wrote: > Patrick Holahan wrote: > > I need to run a root command (ipfw) from apache through php. (Yes, this is > > not very secure and I'm aware of this and if anyone has any better > > suggestions, please feel free to make them.) > is that the function you search: > string exec ( string command [, array output [, int return_var]]) That will run as the UID of the webserver, usually www, which won't be very useful for doing stuff with ipfw. I'd grab sudo(8) or one of the alternatives from ports and very carefully craft a /usr/local/etc/sudoers file that lets the www UID run a specific ipfw command line without giving a password. Be very careful not to let the www UID make arbitrary changes to your firewall or you will discover the true meaning of pain in very short order. Remember to add www to the wheel group if you go this way. Oh, and good luck maintaining the integrity of your machine if you do implement this. You're going to need it... Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message