Shell Inter process / Inter User Message Passing

[weberjn]

Use case: when my Fritz Box gets a new IP address, it calls a dyndns CGI script on a FreeBSD box, which should result in updating pf to pass this new IP. (similar to this thread: update pf table via web)

Obviously, www:www should not get sudo for updating the firewall.

How would one pass the message from www to root?

I am thinking of mqtt and mosquitto.

Better options? A named pipe? a Unix socket?

I don't like polling à la cron.

If I should go the mqtt way, is there a kind of dispatcher framework at the shell command level? i.e. instead of having n scripts listen on mosquitto_sub, a general dispatcher using some kind of dispatching table. (topic -> command)
openHAB and its MQTT Binding can do that but this would be way overkill.

Cheers,
weberjn

 

[zirias@]

Obviously, www:www should not get sudo for updating the firewall.

Whatever you want to do with this external IP address in your pf config, you obviously want www to be able doing just that. Then I don't see how just writing a script doing that change and taking the address as an argument and allow invocation of just that script for sudo would be worse than any much more complicated solution.

 

[covacat]

sudo with specific command allowed is probably good enough
or if the router can handle urls with port just run something like socat as root and allow traffic just from your gw

but the question as zirias asked why do you need your external ip in your pf rules

 

[zirias@]

but the question as zirias asked why do you need your external ip in your pf rules

Well, I didn't directly ask, but I was wondering indeed – I can think of services needing to know the external IP address because it's used in the payload of the protocol (SIP for example). But I'd assume this Fritzbox acts as a NAT router, so I indeed wonder how a firewall behind that would even ever see this external address...

 

[weberjn]

but the question as zirias asked why do you need your external ip in your pf rules

xrdp on the server should be only accessible from my home network.

 

[weberjn]

Whatever you want to do with this external IP address in your pf config, you obviously want www to be able doing just that. Then I don't see how just writing a script doing that change and taking the address as an argument and allow invocation of just that script for sudo would be worse than any much more complicated solution.

It just feels wrong to have www run a firewall script as root. The attack vector of a script writing s.th. into a queue or a pipe is smaller than that of a script changing firewall rules.

 

[patmaddox]

The attack vector of a script writing s.th. into a queue or a pipe is smaller than that of a script changing firewall rules.

Is it? What happens when the message is popped off the queue?

 

[patmaddox]

btw if it's not clear, you don't give www sudo access to modify rules directly. You write a script that does what you want:

#!/bin/sh
ip=$1

# ... the command that updates pf.conf

Then you give www sudo access to run only that script.

 

[smithi]

btw if it's not clear, you don't give www sudo access to modify rules directly. You write a script that does what you want:

#!/bin/sh
ip=$1

# ... the command that updates pf.conf

Then you give www sudo access to run only that script.

For safety I'd deny www read access to that script (it only needs write and execute access) and maybe have it pass also its PID for logging, to be sure.

 

[weberjn]

sudo with specific command allowed is probably good enough
or if the router can handle urls with port just run something like socat as root and allow traffic just from your gw

but the question as zirias asked why do you need your external ip in your pf rules

In the end I listened to you and did the sudo script.

I need the pf rules to only allow access to xrdp from my home. xrdp got so many connection attempts that it went down after some hours. With the pf rule this is fixed.