Re: ipset: how to run non-root

To:	netfilter@lists.netfilter.org
Subject:	Re: ipset: how to run non-root
From:	Maximilian Wilhelm <max@rfc2324.org>
Date:	Sun, 19 Nov 2006 01:15:41 +0100
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
In-reply-to:	<455F8DE9.8060105@mailinator.com>
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
References:	<455F8DE9.8060105@mailinator.com>
Sender:	netfilter-bounces@lists.netfilter.org
User-agent:	Mutt/1.5.9i

Am Samstag, den 18 November hub Mike Wright folgendes in die Tasten:

Hi!

> I'm trying to use ipset from a php script on an apache server.

> ipset requires root user in order to execute, but the webserver is 
> running as apache.  suexec is not a possibility because it won't execute 
> programs with root permissions.  It is possible to have a cron job 
> perform the task but that introduces a time delay.

> I've tried changing ownership of ipset to apache:apache but that didn't 
> work.  Still received the "must be root" warning.

> I looked into the source of ipset.c but it seems like the socket() call 
> must be done as root, and I don't know how to hack around that.

> Does anybody know how I might accomplish this?

I never used ipset, but you could use a generic trick:
 Set the owner of the ipset binary back to root and set the suid bit
 which will result in the ability for everyone who can execute the
 binary to do this "as root".

You might want to think about an execution restriction (e.g. via the group)
to prevent people who should no fiddle with ipset from doing so.

I hope you have some access control via your web application...

Ciao
Max
-- 
        Follow the white penguin.

<Prev in Thread]	Current Thread	[Next in Thread>
ipset: how to run non-root, Mike Wright Re: ipset: how to run non-root, Maximilian Wilhelm <= Re: ipset: how to run non-root, Mike Wright Re: ipset: how to run non-root, PINTU Re: ipset: how to run non-root, R. DuFresne

Previous by Date:	ipset: how to run non-root, Mike Wright
Next by Date:	Re: ipset: how to run non-root, Mike Wright
Previous by Thread:	ipset: how to run non-root, Mike Wright
Next by Thread:	Re: ipset: how to run non-root, Mike Wright
Indexes:	[Date] [Thread] [Top] [All Lists]