topic Re: start apache without being root in Operating System - HP-UX

start apache without being root

Mauro Cossu — Mon, 07 Aug 2006 09:12:45 GMT

Hello Gurus

Not sure this is the right place for my query… anyway here it goes:

I have a web application which runs on HP 11.11. Every now and then I need to restart the web server apache. The problem is that I do not have the root password and apache needs to be restarted as root, so I have to log a call to the administrator. He would grant me root access for a while… just the time to restart apache…
All this has become pretty boring… also because I always have to wait and depend on somebody else … sometime it could take up to a 2 days before restarting apache.
So my question is: is there a way to start apache without being root?

Thanx for your help
Mauro

Re: start apache without being root

A. Clay Stephenson — Mon, 07 Aug 2006 09:18:45 GMT

In order to bind to a port number below 1024, the effective user id must be 0 (root) and since you almost certainly want to use the standard port 80 then the rule applies. What your sysadmin could do is setup a sudo command so that you are able to start httpd with an effective uid of 0.
This is a safe and secure approach and makes much more sense than allowing you root access --- after all, you could do much more than start apache while you are root and do tremendous damage -- intentionally or otherwise. If your admin is not familiar with sudo then refer him to:

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.8p9/

Re: start apache without being root

Jaime Bolanos Rojas. — Mon, 07 Aug 2006 09:19:16 GMT

Mauro,

Not that sure about restarting apache without being root, but maybe you can work something out with the sys adms, you can tell them to configure sudo and to give you permissions just to restart apache when you su to the root account.

I am sure you will get plenty of more advice overhere.

Regards,

Jaime.

Re: start apache without being root

Steven E. Protter — Mon, 07 Aug 2006 09:27:42 GMT

Shalom Mauro,

The process of running apache in a chroot jail is a secure way of accomplishing what you wish.

Any exploits that gain access gain access to no critical mountpoints.

SEP

Re: start apache without being root

Mauro Cossu — Mon, 07 Aug 2006 12:28:50 GMT

Sorry guys, apparently sudo is not in the policy of my company (!?)
:-((
Any other idea?

Re: start apache without being root

Jaime Bolanos Rojas. — Mon, 07 Aug 2006 12:35:15 GMT

Mauro,

If the sys adm did not want to configure sudo, any other way around might be a violation to their security policies, which they would'nt think it was funny.

Again I am sure somebody can come out with an idea, but that is breaking into the system.

Regards,

Jaime.

Re: start apache without being root

A. Clay Stephenson — Mon, 07 Aug 2006 12:38:16 GMT

In that case, create a setuid C program that will start and stop httpd. This is much safer than a setuid shell script BUT it is state-of-the-art stupid to not allow the installation of sudo but at the same time allow you (an otherwise regular user to be logged in as root temporarily). Sudo is a much safer and more secure alternative than your present approach. Sudo could be setup to allow you to only start and stop httpd and nothing else.

I can understand the concern if hpptd is handling many applications and the concern is that you may not be aware of a safe time to bounce the httpd daemon BUT when they log you in as root that problem still exists.

Re: start apache without being root

A. Clay Stephenson — Mon, 07 Aug 2006 12:46:32 GMT

Plan B. Setup an httpd daemon that binds to a high port (e.g. 9999); this can be started as stopped by a regular user but it will require a port specification for every client connect:

e.g.
http://mickey.disney.com:9999
rather than simply:
http://mickey.disney.com

Of course, this will require notification and documentation changes for all users and possibly firewall changes so sudo remain the much better choice.

Re: start apache without being root

Dan Maschmeier_1 — Mon, 07 Aug 2006 18:12:27 GMT

What about providing a login that only gets a restricted shell and putting the needed commands in the rsh. Doesn't anybody use that anymore?

Re: start apache without being root

Mauro Cossu — Mon, 14 Aug 2006 09:01:27 GMT

thanks- very helpful