ipset: how to run non-root

R. DuFresne dufresne at sysinfo.com
Mon Nov 20 20:52:22 CET 2006

Hash: SHA1

On Sun, 19 Nov 2006, Maximilian Wilhelm wrote:

> Am Samstag, den 18 November hub Mike Wright folgendes in die Tasten:
> Hi!
>> I'm trying to use ipset from a php script on an apache server.
>> ipset requires root user in order to execute, but the webserver is
>> running as apache.  suexec is not a possibility because it won't execute
>> programs with root permissions.  It is possible to have a cron job
>> perform the task but that introduces a time delay.
>> I've tried changing ownership of ipset to apache:apache but that didn't
>> work.  Still received the "must be root" warning.
>> I looked into the source of ipset.c but it seems like the socket() call
>> must be done as root, and I don't know how to hack around that.
>> Does anybody know how I might accomplish this?
> I never used ipset, but you could use a generic trick:
> Set the owner of the ipset binary back to root and set the suid bit
> which will result in the ability for everyone who can execute the
> binary to do this "as root".
> You might want to think about an execution restriction (e.g. via the group)
> to prevent people who should no fiddle with ipset from doing so.
> I hope you have some access control via your web application...

better advice would be to leave the bits alone and think of perhaps 
allowing sudo access if really required, but it should be seriously 
considered from a security context.


Ron DuFresne
- -- 
         admin & senior security consultant:  sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
Version: GnuPG v1.4.5 (GNU/Linux)


More information about the netfilter mailing list