From owner-freebsd-questions@FreeBSD.ORG Thu Nov 29 04:09:06 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3C853E65 for ; Thu, 29 Nov 2012 04:09:06 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id F3BBC8FC13 for ; Thu, 29 Nov 2012 04:09:05 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.31]) by ltcfislmsgpa07.fnfis.com (8.14.5/8.14.5) with ESMTP id qAT4956W019835 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 28 Nov 2012 22:09:05 -0600 Received: from [10.0.0.100] (10.14.152.61) by smtp.fisglobal.com (10.132.206.31) with Microsoft SMTP Server (TLS) id 14.2.309.2; Wed, 28 Nov 2012 22:09:04 -0600 Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' MIME-Version: 1.0 (Apple Message framework v1283) Content-Type: text/plain; charset="windows-1252" From: Devin Teske In-Reply-To: <8310543741.20121129054846@yandex.ru> Date: Wed, 28 Nov 2012 20:09:03 -0800 Content-Transfer-Encoding: quoted-printable Message-ID: References: <8310543741.20121129054846@yandex.ru> To: Eugen Konkov X-Mailer: Apple Mail (2.1283) X-Originating-IP: [10.14.152.61] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.9.8185, 1.0.431, 0.0.0000 definitions=2012-11-29_05:2012-11-28,2012-11-29,1970-01-01 signatures=0 Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Devin Teske List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Nov 2012 04:09:06 -0000 On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > Hi. >=20 > How to allow httpd to run this command 'ipfw table 7 add ... '? >=20 imho the most secure way is to add an entry to sudoers(5) (you can use visu= do(8) to edit sudoers(5)) allowing the apache privilege-separation user (ww= w? we use apache here -- check your httpd.conf for "User") to execute that = specific command without a password. The entry might look something like th= is: apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw That will allow the apache user to do things like: sudo ipfw table 7 add =85 because sudo will allow password-less privilege escalation to root (but onl= y for ipfw, nothing else, for security reasons naturally). --=20 Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.