Hi List,

I am creating a PHP small program that will interact with MySQL and
will have the policies for the people in my office, i.e.:
Who can or can not access MSN messenger
Who can or can not access WWW

etc. once this is stored, a shell script with the iptables rules
should be created, and then run.

I do not want to run it with Apache, so I was thinking on creating a
CRON job that will run it as root once every n minutes, but the issue
i see here, is that if somebody "break" my Apache security he will be
able to create any script he likes and my CRON will run it, killing my
server security.

any better ideas about how can I achieve my goal?

thanks in advance.

best regards.

--
Guillermo Garron
"Linux IS user friendly... It's just selective about who its friends are."
(Using F7, CentOS5, Ubuntu 7.40, Debian Etch and Mandriva 2007 Spring)
http://www.go2linux.org


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 07/26/2007 10:18 AM, Guillermo Garron wrote:
> Hi List,
>
> I am creating a PHP small program that will interact with MySQL and
> will have the policies for the people in my office, i.e.:
> Who can or can not access MSN messenger
> Who can or can not access WWW
>
> etc. once this is stored, a shell script with the iptables rules
> should be created, and then run.
>
> I do not want to run it with Apache, so I was thinking on creating a
> CRON job that will run it as root once every n minutes, but the issue
> i see here, is that if somebody "break" my Apache security he will be
> able to create any script he likes and my CRON will run it, killing my
> server security.
>
> any better ideas about how can I achieve my goal?
>
> thanks in advance.
>
> best regards.
>

It depends upon how simple the iptables rules are meant to be; however,
you can let the web script write a list of port numbers to disk, and the
cron-job could take that list, validate it, and convert it to a list of
iptables rules.

The validation done by the cron-job would be the key security effort.

HTH


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote:
> Hi List,
>
> I am creating a PHP small program that will interact with MySQL and
> will have the policies for the people in my office, i.e.:
> Who can or can not access MSN messenger
> Who can or can not access WWW
>
> etc. once this is stored, a shell script with the iptables rules
> should be created, and then run.
>
> I do not want to run it with Apache, so I was thinking on creating a
> CRON job that will run it as root once every n minutes, but the issue
> i see here, is that if somebody "break" my Apache security he will be
> able to create any script he likes and my CRON will run it, killing my
> server security.
>
> any better ideas about how can I achieve my goal?

I don't see how you could possibly create a publicly available
interface to change something as fundamental as your firewall and have
it _not_ be a security risk.

maybe you could create a user that only has permissions to run one
script and that one script is only allowed to change your firewall
rules in specific ways, but even so I think you're asking for trouble.

and take that all with appropriate salt as I am no security expert, it
just seems kind of obvious to me...

A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqN+7aIeIEqwil4YRAkCYAKC0DkvaWrdqKzI980c+Qi HAETc78wCeMlO+
oj5VJbq54a9fk/Ts99gqHp4=
=BYZZ
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote:
> Hi List,
>
> I am creating a PHP small program that will interact with MySQL and
> will have the policies for the people in my office, i.e.:
> Who can or can not access MSN messenger
> Who can or can not access WWW
>
> etc. once this is stored, a shell script with the iptables rules
> should be created, and then run.
>
> I do not want to run it with Apache, so I was thinking on creating a
> CRON job that will run it as root once every n minutes, but the issue
> i see here, is that if somebody "break" my Apache security he will be
> able to create any script he likes and my CRON will run it, killing my
> server security.
>
> any better ideas about how can I achieve my goal?
>
> thanks in advance.
>
> best regards.
>

Make a user specifically for this job that can access /sbin/iptables
through sudo, and make the script do just that, access iptables using
sudo and this new account.

Then make sure the bash script is owned by the new accounts, and root's
group, and chmod the script to r-xrwxr-- by doing:

chmod u+rx g+rwx o+r u-w o-wx /path/to/script

This *should* achieve what you are trying to do...It's a bit messy but
in the end it will pay off, the only way I can see this being abusable
is if someone gets access to your root account.

- --
http://digital-haze.net/~pobega/ - My Website
If programmers deserve to be rewarded for creating innovative
programs, by the same token they deserve to be punished if they
restrict the use of these programs.
- Richard Stallman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqO0Jg6qL2BGnx4QRAmdmAJ4yfxhGZV6T59UtqmA2ru sIu0Zh8QCgpqu/
F9khOM1a4jbHkIZXTCNxCvM=
=ZK00
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 7/26/07, Michael Pobega <pobega@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote:
> > Hi List,
> >
> > I am creating a PHP small program that will interact with MySQL and
> > will have the policies for the people in my office, i.e.:
> > Who can or can not access MSN messenger
> > Who can or can not access WWW
> >
> > etc. once this is stored, a shell script with the iptables rules
> > should be created, and then run.
> >
> > I do not want to run it with Apache, so I was thinking on creating a
> > CRON job that will run it as root once every n minutes, but the issue
> > i see here, is that if somebody "break" my Apache security he will be
> > able to create any script he likes and my CRON will run it, killing my
> > server security.
> >
> > any better ideas about how can I achieve my goal?
> >
> > thanks in advance.
> >
> > best regards.
> >
>
> Make a user specifically for this job that can access /sbin/iptables
> through sudo, and make the script do just that, access iptables using
> sudo and this new account.
>
> Then make sure the bash script is owned by the new accounts, and root's
> group, and chmod the script to r-xrwxr-- by doing:
>
> chmod u+rx g+rwx o+r u-w o-wx /path/to/script
>
> This *should* achieve what you are trying to do...It's a bit messy but
> in the end it will pay off, the only way I can see this being abusable
> is if someone gets access to your root account.

Thank you all for your , I will take that into account, personally
I like the Michael's aproach, thanks.

Answering to Andrew, what I need to do is that only one person (The
administrator of this network -not a Linux guy-) have access to this
webpage using .htaccess or some other Apache security, but I want to
add more security to this, and that is why I have posted here, thanks
you all gave a good point to start.

best regards.

--
Guillermo Garron
"Linux IS user friendly... It's just selective about who its friends are."
(Using FC6, CentOS4.4 and Ubuntu 6.06)
http://feeds.feedburner.com/go2linux
http://www.go2linux.org


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org