httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krist van Besien" <>
Subject Re: [users@httpd] apache as non-root
Date Thu, 08 Nov 2007 15:39:39 GMT
On Nov 8, 2007 3:50 PM, Axel-Stephane  SMORGRAV
<> wrote:
> -----Message d'origine-----
> De : Krist van Besien []
> Envoyé : jeudi 8 novembre 2007 15:14
> À :
> Objet : Re: [users@httpd] apache as non-root
> > You could use a wrapper script (as I do) that the user can't change.
> You could, but AFAICS the only point of using a wrapper over using sudo would be to hard
code the -f parameter... In that case you would also need to prevent the user to change the
configuration. What would be the point of that?

The point is that somebody not root can start/stop apache. In our
setup I have a wrapper script that can start the server in two modes:
A "maintenance mode" where a "server is down, please come back later"
message is displayed to whoever visits the site, and a normal mode.
This is done by passing a different value for the -f option to httpd
when started. These values (two alternative configs basically) are
hard coded in a script that only root can modify.
This way a user with less privileges than root can switch the site to
maintenance mode before taking the tomcat application server down.

> I have opted for sudo. Designated Apache administrators are allowed to start/stop/create
as many instances of Apache they want to with the configurations of their choice. They are
entrusted with that privilege. Bottom line.

Indeed, but in your case you have given the designated administrators
everything they need to become root. I hope you can trust them enough
not to try this.


Bremgarten b. Bern, Switzerland
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message