Yea verily, I am an idiot. I was confusing sudo and suexec.
Sudo is purely for interactive use: it requires you to type a password. Suexec is for CGIs; it *might* work for ErrorDocument. However as I said before, suid scripts and the prospect of hackers are not a combination that apppeals to me under any circumstances.
If you are determined to do this sort of thing fully automatically write the naughty IPs to a file that is owned by the Apache process, and have a daemon that periodically inspects the file and adds its contents to the iptables/ipchains blocking list.
On 22-Aug-02 Raphael Mankin wrote:
On 18-Aug-02 Neil Sedger wrote:
Raphael Mankin wrote:
As has been mentioned, ErrorDocument does part of what you want. The problem is that in order to run ipchains/iptables you have to be root - Apache does not run as root. You therefore need a suid script to do the job, and suid scripts always make me a bit twitchy.
How about sudo? Is that more secure?
SUDO is oonly for CGIs. (AFAIK)
If someone does manage to hack in to be the apache user, all they'll be able to do is add addresses to the firewall block list. I'd expect that at some point they'd make a mistake and block out their own IP ;-)
Suid scripts and hackers are not a combination that appeals under any conditions.
---------------------------------- E-Mail: Raphael Mankin raph@panache.demon.co.uk Date: 26-Aug-02 Time: 18:49:10 ----------------------------------