tag:blogger.com,1999:blog-3933907237614434415.post2393665039103379451..comments2011-05-18T02:13:40.167-06:00Comments on Useful Things: How to become a Unix AdministratorNeilhttp://www.blogger.com/profile/00763626395583376458noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-3933907237614434415.post-76463864766045395092008-04-15T07:26:00.000-06:002008-04-15T07:26:00.000-06:00Hi Neil.Haven't thought about that solution, howev...Hi Neil.<BR/><BR/>Haven't thought about that solution, however I think it's not going to work because ipa expects to talk with the firewall at a lower level.<BR/><BR/>ipa[19460]: MOD ipa_ipfw: kipfw_init: socket(AF_INET, SOCK_RAW, IPPROTO_RAW): Operation not permitted<BR/><BR/>For now I run ipa as root, and if this program is well designed, shouldn't be a problem.<BR/><BR/>As for collecting stats, I have created a user to manage this and it works.<BR/><BR/>$ ipastat -q -r prueba1<BR/>Rule : prueba1<BR/>Info : Outgoing HTTP traffic<BR/><BR/>From : 2008.04.01/00:00:00<BR/>To : 2008.04.30/24:00:00<BR/><BR/>Timestamp | Counter | Per day<BR/>-----------------------------+----------------------+---------------------<BR/>2008.04.12/23:45:18-23:49:18 | 0 |<BR/>2008.04.12/23:52:37-23:52:46 | 0 |<BR/>2008.04.12/23:53:30-23:54:54 | 0 |<BR/>2008.04.12/23:56:54-24:00:00 | 0 | 0<BR/>2008.04.13/00:00:00-03:20:07 | 42230 | 42230<BR/>2008.04.14/01:44:33-01:45:28 | 0 |<BR/>2008.04.14/01:46:34-01:47:20 | 0 |<BR/>2008.04.14/01:47:30-24:00:00 | 25315984 | 25315984<BR/>2008.04.15/00:00:00-14:40:00 | 60671601 | 60671601<BR/>-----------------------------+----------------------+---------------------<BR/><BR/> * Summary 86029815 (4 days)<BR/><BR/> * Total 86029815 (4 days)<BR/><BR/>The weird thing is than it is assumed that you can start ipa as root and it drops privileges whith the -u argument.David Figuerahttps://www.blogger.com/profile/17800764409058071887noreply@blogger.comtag:blogger.com,1999:blog-3933907237614434415.post-39848539664464895282008-04-14T21:27:00.000-06:002008-04-14T21:27:00.000-06:00IPA is new to me, and I can't speak to it's partic...IPA is new to me, and I can't speak to it's particulars, but you are correct IPFW does not allow users to modify rules - and doing so without understanding all the ramifications of what you are doing could open the door wide to those with malicious intent.<BR/><BR/>If all you needed to do was run ipfw show as a specific user, you could utilize sudo, and add something like this to your sudoers file:<BR/>someuser ALL=NOPASSWD: /sbin/ipfw show<BR/><BR/>Then from the command line that user could run sudo ipfw show and see all rules, but couldn't do anything else with ipfw. Normally I wouldn't recommend the NOPASSWD flag, as prompting for a password is a good security measure, but if this is going to be called from inside of an application the NOPASSWD flag would be prudent.<BR/><BR/>You can also solve this using setuid, but unless you <B>really</B> know what you are doing, don't do that. Much damage has been done by the abuse of setuid and if you aren't prepared to learn a whole lot about writing secure programs I would encourage you to avoid it.Neilhttps://www.blogger.com/profile/00763626395583376458noreply@blogger.comtag:blogger.com,1999:blog-3933907237614434415.post-54994901280557516062008-04-14T11:28:00.000-06:002008-04-14T11:28:00.000-06:00Very nice articles.I think a lot of people is goin...Very nice articles.<BR/>I think a lot of people is going to benefit from your knowledge.<BR/><BR/>I was searching documentation about <A HREF="http://ipa-system.sourceforge.net/" REL="nofollow">ipa system</A> but apart from the official docs, haven't found much info.<BR/><BR/>Have you dealed with this software?<BR/>I'm having trouble running this on a non-root account (FreeBSD).<BR/>I think the problem is that a regular user does not have permission to change IPFW rules, as it should be.<BR/><BR/>Do you know the method to allow a user access to IPFW rules?<BR/><BR/>Thanks.David Figuerahttps://www.blogger.com/profile/17800764409058071887noreply@blogger.com