-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, 19 Nov 2006, Maximilian Wilhelm wrote:
Am Samstag, den 18 November hub Mike Wright folgendes in die Tasten:
Hi!
I'm trying to use ipset from a php script on an apache server.
ipset requires root user in order to execute, but the webserver is
running as apache. suexec is not a possibility because it won't execute
programs with root permissions. It is possible to have a cron job
perform the task but that introduces a time delay.
I've tried changing ownership of ipset to apache:apache but that didn't
work. Still received the "must be root" warning.
I looked into the source of ipset.c but it seems like the socket() call
must be done as root, and I don't know how to hack around that.
Does anybody know how I might accomplish this?
I never used ipset, but you could use a generic trick:
Set the owner of the ipset binary back to root and set the suid bit
which will result in the ability for everyone who can execute the
binary to do this "as root".
You might want to think about an execution restriction (e.g. via the group)
to prevent people who should no fiddle with ipset from doing so.
I hope you have some access control via your web application...
better advice would be to leave the bits alone and think of perhaps
allowing sudo access if really required, but it should be seriously
considered from a security context.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD4DBQFFYgd5st+vzJSwZikRAmNSAJdv1VMRX0tZq2kX4i+i+ayXCxQFAJ9VkarI
C8T2g8d7mh/WbHBmquX9jA==
=ibec
-----END PGP SIGNATURE-----
