topic Re: let a normal user bounce httpd (apache) ? in Operating System - Linux

let a normal user bounce httpd (apache) ?

MARREEL Chris_1 — Wed, 19 Nov 2003 05:04:07 GMT

Hello,

I have created a normal user (no root privileges) for our webmaster.
I have given him write privileges to the apache-config files, but after changing the config-files he want to bounce the http-daemons.

How can I achieve he doesn't need the root-password to do this ?
Should I create a STOP and START-script, but I need to run these as root, can this be done via SUID-bit (s) ? How does this work ?

Thanks,
Chris MARREEL

Re: let a normal user bounce httpd (apache) ?

Jerome Henry — Wed, 19 Nov 2003 05:39:53 GMT

Scripting won't work.
You may try to add him to apache group, but I'm not sure it'll work either, as httpd starts with root rights, meaning that root, and root only can start it...

Re: let a normal user bounce httpd (apache) ?

Mark Grant — Wed, 19 Nov 2003 06:16:30 GMT

You can use "sudo" to temporarily give a user root privs for a command.

http://www.courtesan.com/sudo/

Alternatively, you need to create a wrapper around your restart command and set the SETUID bit.

This is most likely to be a 'C' program that does a "setuid(0)" and then runs the "apachectl" command. You would set this as SETUID with something like chmod 6755.

Essesntially, SETUID means the program will run with the permissions of the owner of the program. So if the program is owned by root, then it will have root authority. You can not have SETUID scripts any more.

Re: let a normal user bounce httpd (apache) ?

G. Vrijhoeven — Wed, 19 Nov 2003 09:00:04 GMT

Hi,

apache runs on poort 80 (-1024 = root poort) if you change it to 8080 you do not need root privaliges to start apache.

Gideon

Re: let a normal user bounce httpd (apache) ?

K.C. Chan — Wed, 19 Nov 2003 09:01:24 GMT

Hmm, I am not getting the warm and fussy when giving some regular user the power of root to run an application? But if you must, you can use sudo, I believe most linux distro should have it; for redhat the conf file is in /etc/sudoers. Have at it and becarefull.

Re: let a normal user bounce httpd (apache) ?

Steven E. Protter — Wed, 19 Nov 2003 09:54:04 GMT

Giving an ordinary user the power to start and stop httpd improves security. If the httpd daemon is exploited in some way the exploit fails to gain root priviledges.

You can do this in an automated way, by putting httpd in a chroot jail. The easisest way is to run bastille on your system.

http://www.bastillelinux.org

SEP

Re: let a normal user bounce httpd (apache) ?

Bill Thorsteinson — Thu, 20 Nov 2003 09:35:07 GMT

You may try to see if 'apachectl graceful' will work from a non root account. This will gracefully reload the configuration changes.

I use sudo to allow users to perform tasks like this. You can limit the commands they can execute, as well as the user id the command is performed as.

Re: let a normal user bounce httpd (apache) ?

Steven E. Protter — Thu, 20 Nov 2003 10:37:10 GMT

I was brain dead during my earlier post.

We have a user called ias. That user owns the apache binaries.

In order for this user to open a process on a port 80, the SUID bit had to be set.'

In other words you were right. We even skpped that part by running apache on port 7777

SEP

Re: let a normal user bounce httpd (apache) ?

MARREEL Chris_1 — Thu, 20 Nov 2003 12:40:03 GMT

Thanks a lot,

I have looked at SUDO, and this indeed is a good tool and easy to configure.

I have added a few lines to the /etc/sudoers :
webmaster ALL=/etc/init.d/httpd stop
webmaster ALL=/etc/init.d/httpd start
webmaster ALL=/etc/init.d/httpd restart

And our webmaster can easily bounce the httpd daemons.

Thanks,
Chris MARREEL

Re: let a normal user bounce httpd (apache) ?

Jerome Henry — Thu, 20 Nov 2003 12:55:21 GMT

Great !
But be aware that your webmaster is root on doing sudo allowed commands.

J