ipset: how to run non-root

Maximilian Wilhelm max at rfc2324.org
Sun Nov 19 01:15:41 CET 2006

Am Samstag, den 18 November hub Mike Wright folgendes in die Tasten:


> I'm trying to use ipset from a php script on an apache server.

> ipset requires root user in order to execute, but the webserver is 
> running as apache.  suexec is not a possibility because it won't execute 
> programs with root permissions.  It is possible to have a cron job 
> perform the task but that introduces a time delay.

> I've tried changing ownership of ipset to apache:apache but that didn't 
> work.  Still received the "must be root" warning.

> I looked into the source of ipset.c but it seems like the socket() call 
> must be done as root, and I don't know how to hack around that.

> Does anybody know how I might accomplish this?

I never used ipset, but you could use a generic trick:
 Set the owner of the ipset binary back to root and set the suid bit
 which will result in the ability for everyone who can execute the
 binary to do this "as root".

You might want to think about an execution restriction (e.g. via the group)
to prevent people who should no fiddle with ipset from doing so.

I hope you have some access control via your web application...

	Follow the white penguin.

More information about the netfilter mailing list