Date: Thu, 29 Nov 2012 19:38:35 +0000 From: Steve O'Hara-Smith <steve@sohara.org> To: Devin Teske <dteske@freebsd.org> Cc: Eugen Konkov <kes-kes@yandex.ru>, Devin Teske <devin.teske@fisglobal.com>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-ID: <20121129193835.8896ea0d.steve@sohara.org> In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> References: <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske <devin.teske@fisglobal.com> wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith <steve@sohara.org> --Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 07:37:49 +0000 From: Steve O'Hara-Smith <steve@sohara.org> To: Devin Teske <dteske@freebsd.org> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129073749.d9a3a712.steve@sohara.org> In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> References: <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske <devin.teske@fisglobal.com> wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith <steve@sohara.org> --Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 19:33:28 +0000 From: Steve O'Hara-Smith <steve@sohara.org> To: Devin Teske <dteske@freebsd.org> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129193328.4094d6e5.steve@sohara.org> In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> References: <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0" X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE This is a multi-part message in MIME format. --Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske <devin.teske@fisglobal.com> wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith <steve@sohara.org> --Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 07:37:49 +0000 From: Steve O'Hara-Smith <steve@sohara.org> To: Devin Teske <dteske@freebsd.org> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129073749.d9a3a712.steve@sohara.org> In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> References: <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske <devin.teske@fisglobal.com> wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith <steve@sohara.org> --Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0-- --Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 19:36:09 +0000 From: Steve O'Hara-Smith <steve@sohara.org> To: Devin Teske <dteske@freebsd.org> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129193609.a71d615a.steve@sohara.org> In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> References: <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp" X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE This is a multi-part message in MIME format. --Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske <devin.teske@fisglobal.com> wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith <steve@sohara.org> --Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 07:37:49 +0000 From: Steve O'Hara-Smith <steve@sohara.org> To: Devin Teske <dteske@freebsd.org> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129073749.d9a3a712.steve@sohara.org> In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> References: <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske <devin.teske@fisglobal.com> wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith <steve@sohara.org> --Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 19:33:28 +0000 From: Steve O'Hara-Smith <steve@sohara.org> To: Devin Teske <dteske@freebsd.org> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129193328.4094d6e5.steve@sohara.org> In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> References: <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0" X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE This is a multi-part message in MIME format. --Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske <devin.teske@fisglobal.com> wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith <steve@sohara.org> --Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 07:37:49 +0000 From: Steve O'Hara-Smith <steve@sohara.org> To: Devin Teske <dteske@freebsd.org> Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129073749.d9a3a712.steve@sohara.org> In-Reply-To: <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> References: <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske <devin.teske@fisglobal.com> wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith <steve@sohara.org> --Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0-- --Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp-- --Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121129193835.8896ea0d.steve>