From owner-freebsd-questions Mon Oct 14 23:11: 9 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DABF37B401 for ; Mon, 14 Oct 2002 23:11:08 -0700 (PDT) Received: from mail.thundernet.cz (mail.thundernet.cz [62.77.87.114]) by mx1.FreeBSD.org (Postfix) with SMTP id C7E5B43EB1 for ; Mon, 14 Oct 2002 23:11:06 -0700 (PDT) (envelope-from neuhauser@bellavista.cz) Received: (qmail 10304 invoked from network); 15 Oct 2002 06:11:02 -0000 Received: from unknown (HELO freepuppy.bellavista.cz) (62.168.44.50) by mail.thundernet.cz with SMTP; 15 Oct 2002 06:11:02 -0000 Received: by freepuppy.bellavista.cz (Postfix, from userid 1001) id 5E9F62FDAB2; Tue, 15 Oct 2002 08:10:59 +0200 (CEST) Date: Tue, 15 Oct 2002 08:10:59 +0200 From: Roman Neuhauser To: questions@FreeBSD.ORG Subject: Re: Running ipfw from a webpage/using php. Message-ID: <20021015061059.GS364@freepuppy.bellavista.cz> Mail-Followup-To: questions@FreeBSD.ORG References: <010101c2738e$ffcd2560$ec9e1ec4@staff.uunet.co.za> <3DAADA8B.55767D3A@liwing.de> <20021014151236.GB49638@happy-idiot-talk.infracaninophi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021014151236.GB49638@happy-idiot-talk.infracaninophi> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG # m.seaman@infracaninophile.co.uk / 2002-10-14 16:12:36 +0100: > On Mon, Oct 14, 2002 at 04:54:03PM +0200, Jens Rehsack wrote: > > Patrick Holahan wrote: > > > > I need to run a root command (ipfw) from apache through php. (Yes, this is > > > not very secure and I'm aware of this and if anyone has any better > > > suggestions, please feel free to make them.) > > > is that the function you search: > > string exec ( string command [, array output [, int return_var]]) > > That will run as the UID of the webserver, usually www, which won't be > very useful for doing stuff with ipfw. > > I'd grab sudo(8) or one of the alternatives from ports and very > carefully craft a /usr/local/etc/sudoers file that lets the www UID > run a specific ipfw command line without giving a password. Be very > careful not to let the www UID make arbitrary changes to your firewall > or you will discover the true meaning of pain in very short order. > Remember to add www to the wheel group if you go this way. this is IMO a better solution: #!/bin/sh [ -f /some/file ] && \ /your/command && \ /bin/rm -f /some/file /etc/crontab: * * * * * root /your/script in the php script: touch('/some/file'); > Oh, and good luck maintaining the integrity of your machine if you do > implement this. You're going to need it... not necessarily. implementation dependent. :) -- If you cc me or take the list(s) out completely I'll most likely ignore your message. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message