HPE Community
Operating System - Linux
1820586 Members
1806 Online
109626 Solutions
New Discussion юеВ

let a normal user bounce httpd (apache) ?

 
SOLVED
Go to solution
MARREEL Chris_1
Regular Advisor

тАО11-18-2003 09:04 PM

тАО11-18-2003 09:04 PM

let a normal user bounce httpd (apache) ?

Hello,

I have created a normal user (no root privileges) for our webmaster.
I have given him write privileges to the apache-config files, but after changing the config-files he want to bounce the http-daemons.

How can I achieve he doesn't need the root-password to do this ?
Should I create a STOP and START-script, but I need to run these as root, can this be done via SUID-bit (s) ? How does this work ?

Thanks,
Chris MARREEL
0 Kudos
Reply
9 REPLIES 9
Jerome Henry
Honored Contributor

тАО11-18-2003 09:39 PM

тАО11-18-2003 09:39 PM

Re: let a normal user bounce httpd (apache) ?

Scripting won't work.
You may try to add him to apache group, but I'm not sure it'll work either, as httpd starts with root rights, meaning that root, and root only can start it...
You can lean only on what resists you...
0 Kudos
Reply
Mark Grant
Honored Contributor

тАО11-18-2003 10:16 PM

тАО11-18-2003 10:16 PM

Solution

Re: let a normal user bounce httpd (apache) ?

You can use "sudo" to temporarily give a user root privs for a command.

http://www.courtesan.com/sudo/

Alternatively, you need to create a wrapper around your restart command and set the SETUID bit.

This is most likely to be a 'C' program that does a "setuid(0)" and then runs the "apachectl" command. You would set this as SETUID with something like chmod 6755.

Essesntially, SETUID means the program will run with the permissions of the owner of the program. So if the program is owned by root, then it will have root authority. You can not have SETUID scripts any more.
Never preceed any demonstration with anything more predictive than "watch this"
Reply
G. Vrijhoeven
Honored Contributor

тАО11-19-2003 01:00 AM

тАО11-19-2003 01:00 AM

Re: let a normal user bounce httpd (apache) ?

Hi,

apache runs on poort 80 (-1024 = root poort) if you change it to 8080 you do not need root privaliges to start apache.


Gideon
0 Kudos
Reply
K.C. Chan
Trusted Contributor

тАО11-19-2003 01:01 AM

тАО11-19-2003 01:01 AM

Re: let a normal user bounce httpd (apache) ?

Hmm, I am not getting the warm and fussy when giving some regular user the power of root to run an application? But if you must, you can use sudo, I believe most linux distro should have it; for redhat the conf file is in /etc/sudoers. Have at it and becarefull.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО11-19-2003 01:54 AM

тАО11-19-2003 01:54 AM

Re: let a normal user bounce httpd (apache) ?

Giving an ordinary user the power to start and stop httpd improves security. If the httpd daemon is exploited in some way the exploit fails to gain root priviledges.

You can do this in an automated way, by putting httpd in a chroot jail. The easisest way is to run bastille on your system.

http://www.bastillelinux.org

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bill Thorsteinson
Honored Contributor

тАО11-20-2003 01:35 AM

тАО11-20-2003 01:35 AM

Re: let a normal user bounce httpd (apache) ?

You may try to see if 'apachectl graceful' will work from a non root account. This will gracefully reload the configuration changes.

I use sudo to allow users to perform tasks like this. You can limit the commands they can execute, as well as the user id the command is performed as.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО11-20-2003 02:37 AM

тАО11-20-2003 02:37 AM

Re: let a normal user bounce httpd (apache) ?

I was brain dead during my earlier post.

We have a user called ias. That user owns the apache binaries.

In order for this user to open a process on a port 80, the SUID bit had to be set.'

In other words you were right. We even skpped that part by running apache on port 7777

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
MARREEL Chris_1
Regular Advisor

тАО11-20-2003 04:40 AM

тАО11-20-2003 04:40 AM

Re: let a normal user bounce httpd (apache) ?

Thanks a lot,

I have looked at SUDO, and this indeed is a good tool and easy to configure.

I have added a few lines to the /etc/sudoers :
webmaster ALL=/etc/init.d/httpd stop
webmaster ALL=/etc/init.d/httpd start
webmaster ALL=/etc/init.d/httpd restart

And our webmaster can easily bounce the httpd daemons.

Thanks,
Chris MARREEL
0 Kudos
Reply
Jerome Henry
Honored Contributor

тАО11-20-2003 04:55 AM

тАО11-20-2003 04:55 AM

Re: let a normal user bounce httpd (apache) ?

Great !
But be aware that your webmaster is root on doing sudo allowed commands.

J
You can lean only on what resists you...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.