From owner-freebsd-questions@FreeBSD.ORG Thu Nov 29 21:03:16 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D7AC2CF9; Thu, 29 Nov 2012 21:03:16 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from forward9.mail.yandex.net (forward9.mail.yandex.net [IPv6:2a02:6b8:0:202::4]) by mx1.freebsd.org (Postfix) with ESMTP id 49D198FC16; Thu, 29 Nov 2012 21:03:16 +0000 (UTC) Received: from smtp8.mail.yandex.net (smtp8.mail.yandex.net [77.88.61.54]) by forward9.mail.yandex.net (Yandex) with ESMTP id 93C71CE0DB7; Fri, 30 Nov 2012 01:03:14 +0400 (MSK) Received: from smtp8.mail.yandex.net (localhost [127.0.0.1]) by smtp8.mail.yandex.net (Yandex) with ESMTP id 49B671B60211; Fri, 30 Nov 2012 01:03:14 +0400 (MSK) Received: from unknown (unknown [77.93.52.20]) by smtp8.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 3DuO9dYR-3DuCXW6g; Fri, 30 Nov 2012 01:03:14 +0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1354222994; bh=sMEl2GawlEDYtSMt+FK2YwYAXxuNrfzLUdOddQ06xWY=; h=Date:From:X-Mailer:Reply-To:Organization:X-Priority:Message-ID:To: CC:Subject:In-Reply-To:References:MIME-Version:Content-Type: Content-Transfer-Encoding; b=B+LEd886NdAhVNQ0GGJRMgBhE4UUYkAKTiZz26Kyw74SFyaKMCAq/ggwnmlBEbile 1y/dOUyqs0r4XVUGOTtbJ9I/eyCSr1DDpvi6wx+O1PZpGH3KZ+bNZ9MkeWRf/Zu9Nb ejcU+5x5ogSEzyHVY4qMxdbCiisU9olF8Wl4A/jQ= Date: Thu, 29 Nov 2012 23:03:08 +0200 From: Eugen Konkov X-Mailer: The Bat! (v4.0.24) Professional Organization: ISP FreeLine X-Priority: 3 (Normal) Message-ID: <312952428.20121129230308@yandex.ru> To: Steve O'Hara-Smith Subject: Re[2]: How to allow httpd to run 'ipfw table 7 add ... ' In-Reply-To: <20121129193835.8896ea0d.steve@sohara.org> References: <8310543741.20121129054846@yandex.ru> <20121129193835.8896ea0d.steve@sohara.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: Devin Teske , Devin Teske , FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Eugen Konkov List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Nov 2012 21:03:16 -0000 Здравствуйте, Steve. Вы писали 29 ноября 2012 г., 21:38:35: SOHS> On Wed, 28 Nov 2012 20:09:03 -0800 SOHS> Devin Teske wrote: >> >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >> >> > Hi. >> > >> > How to allow httpd to run this command 'ipfw table 7 add ... '? >> > >> >> imho the most secure way is to add an entry to sudoers(5) (you can use visudo SOHS> This is not very secure for this purpose - see below. >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: >> >> apache ALL=(ALL) NOPASSWD: /sbin/ipfw >> >> That will allow the apache user to do things like: >> >> sudo ipfw table 7 add … SOHS> The only problem with this is it will allow apache to SOHS> do anything with ipfw including flush all of the rules. I would SOHS> suggest having apache dumping the parameters of the command to SOHS> be run into a queue of some kind (named pipe perhaps or a file SOHS> based queue if it's important to survive shutdowns) and have a SOHS> process reading the queue, sanity checking the parameters and SOHS> then executing the appropriate command. maybe: apache host=(root) NOPASSWD: /my/script/add_table.pl apache host=(root) NOPASSWD: /my/script/del_table.pl this will restrict apache to run only add/del tasks with table. what do you think? -- С уважением, Eugen mailto:kes-kes@yandex.ru