ipset: how to run non-root

R. DuFresne dufresne at sysinfo.com
Mon Nov 20 20:52:22 CET 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 19 Nov 2006, Maximilian Wilhelm wrote:

> Am Samstag, den 18 November hub Mike Wright folgendes in die Tasten:
>
> Hi!
>
>> I'm trying to use ipset from a php script on an apache server.
>
>> ipset requires root user in order to execute, but the webserver is
>> running as apache.  suexec is not a possibility because it won't execute
>> programs with root permissions.  It is possible to have a cron job
>> perform the task but that introduces a time delay.
>
>> I've tried changing ownership of ipset to apache:apache but that didn't
>> work.  Still received the "must be root" warning.
>
>> I looked into the source of ipset.c but it seems like the socket() call
>> must be done as root, and I don't know how to hack around that.
>
>> Does anybody know how I might accomplish this?
>
> I never used ipset, but you could use a generic trick:
> Set the owner of the ipset binary back to root and set the suid bit
> which will result in the ability for everyone who can execute the
> binary to do this "as root".
>
> You might want to think about an execution restriction (e.g. via the group)
> to prevent people who should no fiddle with ipset from doing so.
>
> I hope you have some access control via your web application...
>

better advice would be to leave the bits alone and think of perhaps 
allowing sudo access if really required, but it should be seriously 
considered from a security context.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD4DBQFFYgd5st+vzJSwZikRAmNSAJdv1VMRX0tZq2kX4i+i+ayXCxQFAJ9VkarI
C8T2g8d7mh/WbHBmquX9jA==
=ibec
-----END PGP SIGNATURE-----



More information about the netfilter mailing list