ipset: how to run non-root

Hi all,

I'm trying to use ipset from a php script on an apache
server.

ipset requires root user in order to execute, but the
webserver is 
running as apache.  suexec is not a possibility because it
won't execute 
programs with root permissions.  It is possible to have a
cron job 
perform the task but that introduces a time delay.

I've tried changing ownership of ipset to apache:apache but
that didn't 
work.  Still received the "must be root" warning.

I looked into the source of ipset.c but it seems like the
socket() call 
must be done as root, and I don't know how to hack around
that.

Does anybody know how I might accomplish this?

Thanks,
Mike Wright

Am Samstag, den 18 November hub Mike Wright folgendes in die
Tasten:

Hi!

> I'm trying to use ipset from a php script on an apache
server.

> ipset requires root user in order to execute, but the
webserver is 
> running as apache.  suexec is not a possibility because
it won't execute 
> programs with root permissions.  It is possible to have
a cron job 
> perform the task but that introduces a time delay.

> I've tried changing ownership of ipset to apache:apache
but that didn't 
> work.  Still received the "must be root"
warning.

> I looked into the source of ipset.c but it seems like
the socket() call 
> must be done as root, and I don't know how to hack
around that.

> Does anybody know how I might accomplish this?

I never used ipset, but you could use a generic trick:
 Set the owner of the ipset binary back to root and set the
suid bit
 which will result in the ability for everyone who can
execute the
 binary to do this "as root".

You might want to think about an execution restriction (e.g.
via the group)
to prevent people who should no fiddle with ipset from doing
so.

I hope you have some access control via your web
application...

Ciao
Max
-- 
	Follow the white penguin.

Maximilian Wilhelm wrote:
> Am Samstag, den 18 November hub Mike Wright folgendes
in die Tasten:
>> 
>>I'm trying to use ipset from a php script on an
apache server.
> 
>>Does anybody know how I might accomplish this?
> 
> 
> I never used ipset, but you could use a generic trick:
>  Set the owner of the ipset binary back to root and set
the suid bit
>  which will result in the ability for everyone who can
execute the
>  binary to do this "as root".
>
Excellent!  Worked out of the box with no problems.

> You might want to think about an execution restriction
(e.g. via the group)
> to prevent people who should no fiddle with ipset from
doing so.
> 
Done!  As a paranoid I really like that advice.

> I hope you have some access control via your web
application...
>
https, ip, user

Danke,
:m)

You can also try sudo

On 11/19/06, Mike Wright <xktnniuymllamailinator.com> wrote:
> Maximilian Wilhelm wrote:
> > Am Samstag, den 18 November hub Mike Wright
folgendes in die Tasten:
> >>
> >>I'm trying to use ipset from a php script on an
apache server.
> >
> >>Does anybody know how I might accomplish this?
> >
> >
> > I never used ipset, but you could use a generic
trick:
> >  Set the owner of the ipset binary back to root
and set the suid bit
> >  which will result in the ability for everyone who
can execute the
> >  binary to do this "as root".
> >
> Excellent!  Worked out of the box with no problems.
>
> > You might want to think about an execution
restriction (e.g. via the group)
> > to prevent people who should no fiddle with ipset
from doing so.
> >
> Done!  As a paranoid I really like that advice.
>
> > I hope you have some access control via your web
application...
> >
> https, ip, user
>
> Danke,
> :m)
>
>
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 19 Nov 2006, Maximilian Wilhelm wrote:

> Am Samstag, den 18 November hub Mike Wright folgendes
in die Tasten:
>
> Hi!
>
>> I'm trying to use ipset from a php script on an
apache server.
>
>> ipset requires root user in order to execute, but
the webserver is
>> running as apache.  suexec is not a possibility
because it won't execute
>> programs with root permissions.  It is possible to
have a cron job
>> perform the task but that introduces a time delay.
>
>> I've tried changing ownership of ipset to
apache:apache but that didn't
>> work.  Still received the "must be root"
warning.
>
>> I looked into the source of ipset.c but it seems
like the socket() call
>> must be done as root, and I don't know how to hack
around that.
>
>> Does anybody know how I might accomplish this?
>
> I never used ipset, but you could use a generic trick:
> Set the owner of the ipset binary back to root and set
the suid bit
> which will result in the ability for everyone who can
execute the
> binary to do this "as root".
>
> You might want to think about an execution restriction
(e.g. via the group)
> to prevent people who should no fiddle with ipset from
doing so.
>
> I hope you have some access control via your web
application...
>

better advice would be to leave the bits alone and think of
perhaps 
allowing sudo access if really required, but it should be
seriously 
considered from a security context.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant: 
sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC
94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With
Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD4DBQFFYgd5st+vzJSwZikRAmNSAJdv1VMRX0tZq2kX4i+i+ayXCxQFAJ9V
karI
C8T2g8d7mh/WbHBmquX9jA==
=ibec
-----END PGP SIGNATURE-----