From owner-freebsd-questions@FreeBSD.ORG Thu Nov 29 20:34:35 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5E17039B; Thu, 29 Nov 2012 20:34:35 +0000 (UTC) (envelope-from steve@sohara.org) Received: from uk1rly2283.eechost.net (relay01a.mail.uk1.eechost.net [217.69.40.75]) by mx1.freebsd.org (Postfix) with ESMTP id 7DC7B8FC18; Thu, 29 Nov 2012 20:34:34 +0000 (UTC) Received: from [31.186.37.179] (helo=smtp.marelmo.com) by uk1rly2283.eechost.net with esmtpa (Exim 4.72) (envelope-from ) id 1Te9xD-0006ww-Mq; Thu, 29 Nov 2012 19:39:24 +0000 Received: from [172.16.12.2] (helo=macbookpro06374.local) by smtp.marelmo.com with smtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1Te9wT-00047r-Iv; Thu, 29 Nov 2012 19:38:38 +0000 Date: Thu, 29 Nov 2012 19:38:35 +0000 From: Steve O'Hara-Smith To: Devin Teske Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129193835.8896ea0d.steve@sohara.org> In-Reply-To: References: <8310543741.20121129054846@yandex.ru> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY" X-Auth-Info: 15567@permanet.ie (plain) Cc: Eugen Konkov , Devin Teske , FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Nov 2012 20:34:35 -0000 This is a multi-part message in MIME format. --Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith --Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 07:37:49 +0000 From: Steve O'Hara-Smith To: Devin Teske Cc: Devin Teske , Eugen Konkov , FreeBSD Questions Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129073749.d9a3a712.steve@sohara.org> In-Reply-To: References: <8310543741.20121129054846@yandex.ru> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith --Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 19:33:28 +0000 From: Steve O'Hara-Smith To: Devin Teske Cc: Devin Teske , Eugen Konkov , FreeBSD Questions Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129193328.4094d6e5.steve@sohara.org> In-Reply-To: References: <8310543741.20121129054846@yandex.ru> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0" X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE This is a multi-part message in MIME format. --Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith --Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 07:37:49 +0000 From: Steve O'Hara-Smith To: Devin Teske Cc: Devin Teske , Eugen Konkov , FreeBSD Questions Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129073749.d9a3a712.steve@sohara.org> In-Reply-To: References: <8310543741.20121129054846@yandex.ru> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith --Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0-- --Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 19:36:09 +0000 From: Steve O'Hara-Smith To: Devin Teske Cc: Devin Teske , Eugen Konkov , FreeBSD Questions Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129193609.a71d615a.steve@sohara.org> In-Reply-To: References: <8310543741.20121129054846@yandex.ru> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp" X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE This is a multi-part message in MIME format. --Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith --Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 07:37:49 +0000 From: Steve O'Hara-Smith To: Devin Teske Cc: Devin Teske , Eugen Konkov , FreeBSD Questions Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129073749.d9a3a712.steve@sohara.org> In-Reply-To: References: <8310543741.20121129054846@yandex.ru> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith --Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 19:33:28 +0000 From: Steve O'Hara-Smith To: Devin Teske Cc: Devin Teske , Eugen Konkov , FreeBSD Questions Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129193328.4094d6e5.steve@sohara.org> In-Reply-To: References: <8310543741.20121129054846@yandex.ru> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0" X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE This is a multi-part message in MIME format. --Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith --Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Date: Thu, 29 Nov 2012 07:37:49 +0000 From: Steve O'Hara-Smith To: Devin Teske Cc: Devin Teske , Eugen Konkov , FreeBSD Questions Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-Id: <20121129073749.d9a3a712.steve@sohara.org> In-Reply-To: References: <8310543741.20121129054846@yandex.ru> X-Mailer: Sylpheed 3.1.0 (GTK+ 2.24.0; i386-apple-darwin10.6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Sylpheed-Account-Id: 1 X-Sylpheed-Reply: #imap/steve@sohara.org/Mail/FreeBSD/Questions/2929 X-Sylpheed-Compose-AutoWrap: FALSE On Wed, 28 Nov 2012 20:09:03 -0800 Devin Teske wrote: > > On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: > > > Hi. > > > > How to allow httpd to run this command 'ipfw table 7 add ... '? > > > > imho the most secure way is to add an entry to sudoers(5) (you can use visudo This is not very secure for this purpose - see below. > (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: > > apache ALL=(ALL) NOPASSWD: /sbin/ipfw > > That will allow the apache user to do things like: > > sudo ipfw table 7 add … The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. -- Steve O'Hara-Smith --Multipart=_Thu__29_Nov_2012_19_33_28_+0000_wyHifUsX_27hEeY0-- --Multipart=_Thu__29_Nov_2012_19_36_09_+0000_.RJPkC+wrXQ1N+tp-- --Multipart=_Thu__29_Nov_2012_19_38_35_+0000_vYnC0k/8=PKA4DkY--