From owner-freebsd-questions@FreeBSD.ORG Thu Nov 29 21:12:22 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C13D4F19; Thu, 29 Nov 2012 21:12:22 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 5DBBE8FC13; Thu, 29 Nov 2012 21:12:22 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.16]) by ltcfislmsgpa04.fnfis.com (8.14.5/8.14.5) with ESMTP id qATLCLd1007770 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 29 Nov 2012 15:12:21 -0600 Received: from [10.0.0.100] (10.14.152.61) by smtp.fisglobal.com (10.132.206.16) with Microsoft SMTP Server (TLS) id 14.2.309.2; Thu, 29 Nov 2012 15:12:19 -0600 Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' MIME-Version: 1.0 (Apple Message framework v1283) From: Devin Teske In-Reply-To: <20121129193835.8896ea0d.steve@sohara.org> Date: Thu, 29 Nov 2012 13:12:18 -0800 Message-ID: References: <8310543741.20121129054846@yandex.ru> <20121129193835.8896ea0d.steve@sohara.org> To: "Steve O'Hara-Smith" X-Mailer: Apple Mail (2.1283) X-Originating-IP: [10.14.152.61] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.9.8185, 1.0.431, 0.0.0000 definitions=2012-11-29_05:2012-11-29,2012-11-29,1970-01-01 signatures=0 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: Eugen Konkov , Devin Teske , FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Devin Teske List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Nov 2012 21:12:22 -0000 On Nov 29, 2012, at 11:38 AM, Steve O'Hara-Smith wrote: > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 So create a wrapper and only allow access to the wrapper. Alternatively, you could research FoxT (previously known as BoKS), which al= lows you to not only lock down which commands can be executed by which argu= ments are passable. That being said, I think a wrapper is the simpler approach. It might look s= omething like this: =3D=3D=3D FILE: apache_ipfw.sh =3D=3D=3D #!/bin/sh # args sent direct to ipfw, so we must check args case "$1" in table) : fall thru ;; *) exit 1 esac sudo ipfw "$@" =3D=3D=3D END FILE =3D=3D=3D --=20 Devin > From: Steve O'Hara-Smith > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 28, 2012 11:37:49 PM PST > To: Devin Teske > Cc: Devin Teske , Eugen Konkov , FreeBSD Questions >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith >=20 >=20 >=20 > From: Steve O'Hara-Smith > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 29, 2012 11:33:28 AM PST > To: Devin Teske > Cc: Devin Teske , Eugen Konkov , FreeBSD Questions >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith >=20 > From: Steve O'Hara-Smith > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 28, 2012 11:37:49 PM PST > To: Devin Teske > Cc: Devin Teske , Eugen Konkov , FreeBSD Questions >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith >=20 >=20 >=20 >=20 >=20 > From: Steve O'Hara-Smith > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 29, 2012 11:36:09 AM PST > To: Devin Teske > Cc: Devin Teske , Eugen Konkov , FreeBSD Questions >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith >=20 > From: Steve O'Hara-Smith > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 28, 2012 11:37:49 PM PST > To: Devin Teske > Cc: Devin Teske , Eugen Konkov , FreeBSD Questions >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith >=20 >=20 >=20 > From: Steve O'Hara-Smith > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 29, 2012 11:33:28 AM PST > To: Devin Teske > Cc: Devin Teske , Eugen Konkov , FreeBSD Questions >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith >=20 > From: Steve O'Hara-Smith > Subject: Re: How to allow httpd to run 'ipfw table 7 add ... ' > Date: November 28, 2012 11:37:49 PM PST > To: Devin Teske > Cc: Devin Teske , Eugen Konkov , FreeBSD Questions >=20 >=20 > On Wed, 28 Nov 2012 20:09:03 -0800 > Devin Teske wrote: >=20 >>=20 >> On Nov 28, 2012, at 7:48 PM, Eugen Konkov wrote: >>=20 >>> Hi. >>>=20 >>> How to allow httpd to run this command 'ipfw table 7 add ... '? >>>=20 >>=20 >> imho the most secure way is to add an entry to sudoers(5) (you can use v= isudo >=20 > This is not very secure for this purpose - see below. >=20 >> (8) to edit sudoers(5)) allowing the apache privilege-separation user (w= ww? we use apache here -- check your httpd.conf for "User") to execute that= specific command without a password. The entry might look something like t= his: >>=20 >> apache ALL=3D(ALL) NOPASSWD: /sbin/ipfw >>=20 >> That will allow the apache user to do things like: >>=20 >> sudo ipfw table 7 add =85 >=20 > The only problem with this is it will allow apache to do anything with i= pfw including flush all of the rules. I would suggest having apache dumping= the parameters of the command to be run into a queue of some kind (named p= ipe perhaps or a file based queue if it's important to survive shutdowns) a= nd have a process reading the queue, sanity checking the parameters and the= n executing the appropriate command. >=20 > --=20 > Steve O'Hara-Smith >=20 >=20 >=20 >=20 >=20 >=20 _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.