httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Axel-Stephane SMORGRAV" <Axel-Stephane.SMORG...@europe.adp.com>
Subject RE: [users@httpd] apache as non-root
Date Thu, 08 Nov 2007 15:48:40 GMT
Somebody trusted you enough to give YOU the root password.

Why should you not in turn entrust others with the privileges that will allow them to do their
job? 


-ascs

-----Message d'origine-----
De : Krist van Besien [mailto:krist.vanbesien@gmail.com] 
Envoyé : jeudi 8 novembre 2007 16:40
À : users@httpd.apache.org
Objet : Re: [users@httpd] apache as non-root

On Nov 8, 2007 3:50 PM, Axel-Stephane  SMORGRAV <Axel-Stephane.SMORGRAV@europe.adp.com>
wrote:
> -----Message d'origine-----
> De : Krist van Besien [mailto:krist.vanbesien@gmail.com]
> Envoyé : jeudi 8 novembre 2007 15:14
> À : users@httpd.apache.org
> Objet : Re: [users@httpd] apache as non-root
>
> > You could use a wrapper script (as I do) that the user can't change.
>
> You could, but AFAICS the only point of using a wrapper over using sudo would be to hard
code the -f parameter... In that case you would also need to prevent the user to change the
configuration. What would be the point of that?

The point is that somebody not root can start/stop apache. In our setup I have a wrapper script
that can start the server in two modes:
A "maintenance mode" where a "server is down, please come back later"
message is displayed to whoever visits the site, and a normal mode.
This is done by passing a different value for the -f option to httpd when started. These values
(two alternative configs basically) are hard coded in a script that only root can modify.
This way a user with less privileges than root can switch the site to maintenance mode before
taking the tomcat application server down.

> I have opted for sudo. Designated Apache administrators are allowed to start/stop/create
as many instances of Apache they want to with the configurations of their choice. They are
entrusted with that privilege. Bottom line.

Indeed, but in your case you have given the designated administrators everything they need
to become root. I hope you can trust them enough not to try this.

Krist



--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message