HPE Community
Operating System - HP-UX
1751701 Members
5312 Online
108781 Solutions
New Discussion

start apache without being root

 
Mauro Cossu
Occasional Advisor

‎08-07-2006 02:12 AM

‎08-07-2006 02:12 AM

start apache without being root

Hello Gurus

Not sure this is the right place for my query… anyway here it goes:

I have a web application which runs on HP 11.11. Every now and then I need to restart the web server apache. The problem is that I do not have the root password and apache needs to be restarted as root, so I have to log a call to the administrator. He would grant me root access for a while… just the time to restart apache…
All this has become pretty boring… also because I always have to wait and depend on somebody else … sometime it could take up to a 2 days before restarting apache.
So my question is: is there a way to start apache without being root?

Thanx for your help
Mauro
0 Kudos
9 REPLIES 9
A. Clay Stephenson
Acclaimed Contributor

‎08-07-2006 02:18 AM

‎08-07-2006 02:18 AM

Re: start apache without being root

In order to bind to a port number below 1024, the effective user id must be 0 (root) and since you almost certainly want to use the standard port 80 then the rule applies. What your sysadmin could do is setup a sudo command so that you are able to start httpd with an effective uid of 0.
This is a safe and secure approach and makes much more sense than allowing you root access --- after all, you could do much more than start apache while you are root and do tremendous damage -- intentionally or otherwise. If your admin is not familiar with sudo then refer him to:

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.8p9/
If it ain't broke, I can fix that.
0 Kudos
Jaime Bolanos Rojas.
Honored Contributor

‎08-07-2006 02:19 AM

‎08-07-2006 02:19 AM

Re: start apache without being root

Mauro,

Not that sure about restarting apache without being root, but maybe you can work something out with the sys adms, you can tell them to configure sudo and to give you permissions just to restart apache when you su to the root account.

I am sure you will get plenty of more advice overhere.

Regards,

Jaime.
Work hard when the need comes out.
0 Kudos
Steven E. Protter
Exalted Contributor

‎08-07-2006 02:27 AM

‎08-07-2006 02:27 AM

Re: start apache without being root

Shalom Mauro,

The process of running apache in a chroot jail is a secure way of accomplishing what you wish.

Any exploits that gain access gain access to no critical mountpoints.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Mauro Cossu
Occasional Advisor

‎08-07-2006 05:28 AM

‎08-07-2006 05:28 AM

Re: start apache without being root

Sorry guys, apparently sudo is not in the policy of my company (!?)
:-((
Any other idea?
0 Kudos
Jaime Bolanos Rojas.
Honored Contributor

‎08-07-2006 05:35 AM

‎08-07-2006 05:35 AM

Re: start apache without being root

Mauro,

If the sys adm did not want to configure sudo, any other way around might be a violation to their security policies, which they would'nt think it was funny.

Again I am sure somebody can come out with an idea, but that is breaking into the system.

Regards,

Jaime.
Work hard when the need comes out.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎08-07-2006 05:38 AM

‎08-07-2006 05:38 AM

Re: start apache without being root

In that case, create a setuid C program that will start and stop httpd. This is much safer than a setuid shell script BUT it is state-of-the-art stupid to not allow the installation of sudo but at the same time allow you (an otherwise regular user to be logged in as root temporarily). Sudo is a much safer and more secure alternative than your present approach. Sudo could be setup to allow you to only start and stop httpd and nothing else.

I can understand the concern if hpptd is handling many applications and the concern is that you may not be aware of a safe time to bounce the httpd daemon BUT when they log you in as root that problem still exists.


If it ain't broke, I can fix that.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎08-07-2006 05:46 AM

‎08-07-2006 05:46 AM

Re: start apache without being root

Plan B. Setup an httpd daemon that binds to a high port (e.g. 9999); this can be started as stopped by a regular user but it will require a port specification for every client connect:

e.g.
http://mickey.disney.com:9999
rather than simply:
http://mickey.disney.com

Of course, this will require notification and documentation changes for all users and possibly firewall changes so sudo remain the much better choice.
If it ain't broke, I can fix that.
0 Kudos
Dan Maschmeier_1
Occasional Advisor

‎08-07-2006 11:12 AM

‎08-07-2006 11:12 AM

Re: start apache without being root

What about providing a login that only gets a restricted shell and putting the needed commands in the rsh. Doesn't anybody use that anymore?
0 Kudos
Mauro Cossu
Occasional Advisor

‎08-14-2006 02:01 AM

‎08-14-2006 02:01 AM

Re: start apache without being root

thanks- very helpful
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.