Date: Thu, 29 Nov 2012 13:12:18 -0800 From: Devin Teske <devin.teske@fisglobal.com> To: "Steve O'Hara-Smith" <steve@sohara.org> Cc: Eugen Konkov <kes-kes@yandex.ru>, Devin Teske <dteske@freebsd.org>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' Message-ID: <FB3AE5A0-117A-4C42-A159-4677B982E176@fisglobal.com> In-Reply-To: <20121129193835.8896ea0d.steve@sohara.org> References: <8310543741.20121129054846@yandex.ru> <BA4D4ADD-3E5A-4719-B3B0-1D90B7E7CCAA@fisglobal.com> <20121129193835.8896ea0d.steve@sohara.org>
index | next in thread | previous in thread | raw e-mail
On Nov 29, 2012, at 11:38 AM, Steve O'Hara-Smith wrote: > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: > >> >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >> >>> Hi. >>> >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>> >> >> imho the most secure way is to add an entry to sudoers(5) (you can use visudo > > This is not very secure for this purpose - see below. > >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: >> >> apache ALL=(ALL) NOPASSWD: /sbin/ipfw >> >> That will allow the apache user to do things like: >> >> sudo ipfw table 7 add … > > The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. > So create a wrapper and only allow access to the wrapper. Alternatively, you could research FoxT (previously known as BoKS), which allows you to not only lock down which commands can be executed by which arguments are passable. That being said, I think a wrapper is the simpler approach. It might look something like this: === FILE: apache_ipfw.sh === #!/bin/sh # args sent direct to ipfw, so we must check args case "$1" in table) : fall thru ;; *) exit 1 esac sudo ipfw "$@" === END FILE === -- Devin > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 28, 2012 11:37:49 PM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> > > > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: > >> >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >> >>> Hi. >>> >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>> >> >> imho the most secure way is to add an entry to sudoers(5) (you can use visudo > > This is not very secure for this purpose - see below. > >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: >> >> apache ALL=(ALL) NOPASSWD: /sbin/ipfw >> >> That will allow the apache user to do things like: >> >> sudo ipfw table 7 add … > > The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. > > -- > Steve O'Hara-Smith <steve@sohara.org> > > > > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 29, 2012 11:33:28 AM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> > > > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: > >> >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >> >>> Hi. >>> >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>> >> >> imho the most secure way is to add an entry to sudoers(5) (you can use visudo > > This is not very secure for this purpose - see below. > >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: >> >> apache ALL=(ALL) NOPASSWD: /sbin/ipfw >> >> That will allow the apache user to do things like: >> >> sudo ipfw table 7 add … > > The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. > > -- > Steve O'Hara-Smith <steve@sohara.org> > > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 28, 2012 11:37:49 PM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> > > > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: > >> >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >> >>> Hi. >>> >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>> >> >> imho the most secure way is to add an entry to sudoers(5) (you can use visudo > > This is not very secure for this purpose - see below. > >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: >> >> apache ALL=(ALL) NOPASSWD: /sbin/ipfw >> >> That will allow the apache user to do things like: >> >> sudo ipfw table 7 add … > > The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. > > -- > Steve O'Hara-Smith <steve@sohara.org> > > > > > > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 29, 2012 11:36:09 AM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> > > > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: > >> >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >> >>> Hi. >>> >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>> >> >> imho the most secure way is to add an entry to sudoers(5) (you can use visudo > > This is not very secure for this purpose - see below. > >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: >> >> apache ALL=(ALL) NOPASSWD: /sbin/ipfw >> >> That will allow the apache user to do things like: >> >> sudo ipfw table 7 add … > > The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. > > -- > Steve O'Hara-Smith <steve@sohara.org> > > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 28, 2012 11:37:49 PM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> > > > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: > >> >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >> >>> Hi. >>> >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>> >> >> imho the most secure way is to add an entry to sudoers(5) (you can use visudo > > This is not very secure for this purpose - see below. > >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: >> >> apache ALL=(ALL) NOPASSWD: /sbin/ipfw >> >> That will allow the apache user to do things like: >> >> sudo ipfw table 7 add … > > The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. > > -- > Steve O'Hara-Smith <steve@sohara.org> > > > > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 29, 2012 11:33:28 AM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> > > > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: > >> >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >> >>> Hi. >>> >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>> >> >> imho the most secure way is to add an entry to sudoers(5) (you can use visudo > > This is not very secure for this purpose - see below. > >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: >> >> apache ALL=(ALL) NOPASSWD: /sbin/ipfw >> >> That will allow the apache user to do things like: >> >> sudo ipfw table 7 add … > > The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. > > -- > Steve O'Hara-Smith <steve@sohara.org> > > From: Steve O'Hara-Smith <steve@sohara.org> > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 28, 2012 11:37:49 PM PST > To: Devin Teske <dteske@freebsd.org> > Cc: Devin Teske <devin.teske@fisglobal.com>, Eugen Konkov <kes-kes@yandex.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> > > > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske <devin.teske@fisglobal.com> wrote: > >> >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >> >>> Hi. >>> >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>> >> >> imho the most secure way is to add an entry to sudoers(5) (you can use visudo > > This is not very secure for this purpose - see below. > >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (www? we use apache here -- check your httpd.conf for "User") to execute that specific command without a password. The entry might look something like this: >> >> apache ALL=(ALL) NOPASSWD: /sbin/ipfw >> >> That will allow the apache user to do things like: >> >> sudo ipfw table 7 add … > > The only problem with this is it will allow apache to do anything with ipfw including flush all of the rules. I would suggest having apache dumping the parameters of the command to be run into a queue of some kind (named pipe perhaps or a file based queue if it's important to survive shutdowns) and have a process reading the queue, sanity checking the parameters and then executing the appropriate command. > > -- > Steve O'Hara-Smith <steve@sohara.org> > > > > > > _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FB3AE5A0-117A-4C42-A159-4677B982E176>