Re: apache as non-root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Nov 8, 2007 3:50 PM, Axel-Stephane  SMORGRAV
<Axel-Stephane.SMORGRAV@xxxxxxxxxxxxxx> wrote:
> -----Message d'origine-----
> De : Krist van Besien [mailto:krist.vanbesien@xxxxxxxxx]
> Envoyé : jeudi 8 novembre 2007 15:14
> À : users@xxxxxxxxxxxxxxxx
> Objet : Re:  apache as non-root
>
> > You could use a wrapper script (as I do) that the user can't change.
>
> You could, but AFAICS the only point of using a wrapper over using sudo would be to hard code the -f parameter... In that case you would also need to prevent the user to change the configuration. What would be the point of that?

The point is that somebody not root can start/stop apache. In our
setup I have a wrapper script that can start the server in two modes:
A "maintenance mode" where a "server is down, please come back later"
message is displayed to whoever visits the site, and a normal mode.
This is done by passing a different value for the -f option to httpd
when started. These values (two alternative configs basically) are
hard coded in a script that only root can modify.
This way a user with less privileges than root can switch the site to
maintenance mode before taking the tomcat application server down.

> I have opted for sudo. Designated Apache administrators are allowed to start/stop/create as many instances of Apache they want to with the configurations of their choice. They are entrusted with that privilege. Bottom line.

Indeed, but in your case you have given the designated administrators
everything they need to become root. I hope you can trust them enough
not to try this.

Krist



-- 
krist.vanbesien@xxxxxxxxx
krist@xxxxxxxxxxxxx
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux