Home
Friday, September 22, 2017
10:58:14 AM
Users online: 0   You are here >> Home > Open Source OS

Forums | Open Source OS Forums search
Forum FAQ
   
  1  
reloading apache as user www-data
dave_blob 
27/8/08 11:06:53 AM
Guru

So ive got this web management program im writing, all is sweet, except that one of the major operations i need to do is trigger a reload of the apache config, because this program makes changes to it.
But i dont want to introduce massive security holes.

www-data user obviously does not have sudo rights, and I intend to keep it that way. So how can i run
'/etc/init.d/apache2 reload'
from a script running under www-data?

I tried creating a user 'authenticator' that does have sudo rights, then issuing a command like this:
cat /etc/protected-authenticator-pwd | sudo -S -u authenticator /etc/init.d/apache2 reload


But the sudo command wants the password for www-data, even though i told it to use user authenticator.

So is there a way for user A to run a command as user B without A having sudo rights?

-----
Your comeback shames me

Phelan:
You exist. You are born and you die. That's it.
What matters is life before death - enjoy your time here, be nice to others and have some fun.

iamthemaxx 
27/8/08 12:28:34 PM
Mod
SuperHero

Immortal


I wouldn't think so.
Why not use https, it at least gives you some security and will let you use sudo straight up.

Also, a web based management tool restarting the apache instance it runs on! I see a black hole forming ;)

-----

dave_blob 
27/8/08 1:26:04 PM
Guru

reloading! not restarting :)

Its only a simple thing, for managing per-directory basic http username/password auth, using mod_auth_mysql. It just writes/overwrites an apache.conf fragment that gets Included in one of the virtualhosts on the server.

I didnt want to make it too hard, until i ran into this problem I had the whole thing finished from scratch in ~3 hours, god bless rails! :P

-----
Your comeback shames me

Phelan:
You exist. You are born and you die. That's it.
What matters is life before death - enjoy your time here, be nice to others and have some fun.

eckythump 
27/8/08 4:46:49 PM
Champion

What's wrong with using sudo?

Just add an entry to the sudoers file that permits AND ONLY permits www-data to execute /path/to/apachetl restart
And indicate that no password is required.

Alternately, you could make a wrapper script and put it somewhere else if you want to add some security-through-obscurity and then only permit sudo /path/to/somewhere/weird/no/one/would/guess/realoder.sh

If your web app is CGI based, you could take advantage of apache's suexec facility to run it as a dedicated user, and that way only that user can do the appropriate sudo, as opposed to any cgi/php/etc script running by any user (assuming they'd run as the default www-data user)

And alternately again, you could write a very simple daemon script that sits and looks for a file to be created in a given place, and when it's found, deletes it and performs a reload. It could use a DB entry as opposed to a file, too, of course.

There are lots of ways to do this, it mostly comes down to what specifically you need and want to do.

-----
"Grandfather had an accident, he got burnt." "Oh no, how bad?" "Well, they don't fuck around at the crematorium."

wilsontc 
27/8/08 11:35:52 PM
Guru

man 5 sudoers

-----
Quote by Kothos
More importantly, do any of you girls like arse hair??



Linux_Inside V2 
28/8/08 11:35:29 AM
Immortal

eckythump has the answer(s)

adding it to the sudoers seems like a good idea, I recently did a similar thing but mine was a webui to control my traffic shaper :D

sudoers is probably the best and simplest solution, should take you no time at all to do it if you do what wilsontc said which is
man 5 sudoers


Cheers

-----

dave_blob 
28/8/08 12:49:58 PM
Guru

wow, i had no idea you could limit sudo access to single specific programs, it never even occurred to me.

Right! Awesome! Ill change the web app to run as user 'authenticator' and give 'authenticator' sudo access to "/etc/init.d/apache" only.

Too easy, thanks heaps guys, I knew I was missing something.

-----
Your comeback shames me

Phelan:
You exist. You are born and you die. That's it.
What matters is life before death - enjoy your time here, be nice to others and have some fun.

dave_blob 
28/8/08 3:21:43 PM
Guru

Cool, its working now.

iamthemaxx, i found your black hole :P

The reload_apache link returns Error:500 server errors sometimes, obviously due to the rug being pulled out from underneath the rails app.
But its only sometimes, and then you just reload and its ok. It must be a timing based problem, since it only happens 50% of the time. If i get spare time i might dive into the Webmin source to how they achieve the same thing so cleanly.

-----
Your comeback shames me

Phelan:
You exist. You are born and you die. That's it.
What matters is life before death - enjoy your time here, be nice to others and have some fun.

Linux_Inside V2 
28/8/08 8:33:03 PM
Immortal

Quote by dave_blob
If i get spare time i might dive into the Webmin source to how they achieve the same thing so cleanly.



Doesn't webmin operate on it's own port, without Apache?

-----

dave_blob 
28/8/08 11:46:49 PM
Guru

Quote by Linux_Inside V2
Quote by dave_blob
If i get spare time i might dive into the Webmin source to how they achieve the same thing so cleanly.



Doesn't webmin operate on it's own port, without Apache?



Ah, yep. You just stopped me from wasting a bunch of time. Now i have to find something else to waste it on :p

-----
Your comeback shames me

Phelan:
You exist. You are born and you die. That's it.
What matters is life before death - enjoy your time here, be nice to others and have some fun.

Linux_Inside V2 
29/8/08 11:47:31 AM
Immortal

Quote by dave_blob
Quote by Linux_Inside V2
Quote by dave_blob
If i get spare time i might dive into the Webmin source to how they achieve the same thing so cleanly.



Doesn't webmin operate on it's own port, without Apache?



Ah, yep. You just stopped me from wasting a bunch of time. Now i have to find something else to waste it on :p



lol to get past the 500 internal error you'd have to find some way to fork the process to the background so that Apache will stop sending data before terminating the connection.

If you can figure that out, I'd be interested to see how it's done :D

-----

  1  
Forums | Open Source OS