1

I'm working on an apache module that can check the libipset API to test if an IP is in a list. This is being used as a backup firewall for proxied connections.

I've managed to get everything working up until the C script calls type = ipset_type_get(session, cmd);. After testing, I believe the main problem is that libipset requires higher permissions. I'm not getting a permission error, just a null value. However, when I run the C script directly using apache as the user, I can get it to work when I grant sudo privileges to apache for the script.

I've tried 1 and 2 in the answers here and they've both failed. Is there any other way to force root for the ipset API call?

Gnosis
  • 13
  • 4

1 Answers1

0

This action might need cap_net_admin.

If using systemd to control the process, you can add it like this:

[Service]
...
CapabilityBoundingSet=CAP_NET_ADMIN

Another approach would be to set the binary executable's capabilities.

setcap cap_net_admin=ep /usr/sbin/apache2

If using apparmour, you coould instead set up a profile for apache and include the line

capability net_admin,

in the file ( /etc/apparmor.d/usr.sbin.apache2 )

( see here : https://serverfault.com/questions/932410/enabling-apparmor-for-apache2-in-ubuntu-18-04 )

jmullee
  • 390
  • 3
  • 6