Date: Wed, 28 Nov 2012 20:09:03 -0800 From: Devin Teske <devin.teske@fisglobal.com> To: Eugen Konkov <kes-kes@yandex.ru> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-ID: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> In-Reply-To: <8310543741.20121129054846@yandex.ru> References: <8310543741.20121129054846@yandex.ru>
index | next in thread | previous in thread | raw e-mail
On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > Hi. > > How to allow httpd to run this command 'ipfw table 7 add ... '? > imho the most secure way is to add an entry to sudoers(5) (you can use visudo(8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: apache ALL=(ALL) NOPASSWD: /sbin/ipfw That will allow the apache user to do things like: sudo ipfw table 7 add … because sudo will allow password-less privilege escalation to root (but only for ipfw, nothing else, for security reasons naturally). -- Devin _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA>