How to allow non-root user to start/stop Apache process on a *nix server
Recently, I had to write a script to deploy a Grails application on a cluster of 7 servers without prompting for any kind of passwords. The load balancer was configured so as NOT to direct any request to the node, if the Apache process is not running on the server.
So, my script to do the deployment on all the servers one by one is very simple — (a) stop Apache (b) deploy new version of the app on Tomcat using deploy.sh script lying on the server (c) start Apache
SERVER_IPS="10.20.30.40 10.20.30.41 10.20.30.42"
for i in `echo $SERVER_IPS`
do
echo "Deploying on Web Host $i"
ssh applicationUser@$i "cd; apache2ctl stop; ./deploy.sh; sleep 30; apache2ctl start"
done
The only hiccup is that the applicationUser does not have rights to start/stop Apache. After looking around for a while, I came to know about setuid which allow users to run an executable with the permissions of the executable’s owner or group.
So, all I had to do in order to allow applicationUser to bounce apache process is :
sudo u+s /usr/sbin/apache2
sudo u+s /usr/sbin/apache2ctl
I also had to set the trusted relationship between the production servers and my machine in order to allow password-less SSH login.
After I did the above steps, I could deploy my application to all nodes in the cluster with a single command.
-Deepak
Thanks for this blog post. I’m using Alpine in an environment where security does not matter, so this was preferable to getting sudoers working. Good work!
why do so many idiots on the internet keep saying you can edit the sudoers file? i tried that and the thing that happens next is you temporarily have automatic access to sudo anything you want.
You can edit the sudoers file, allowing the applicationUser to restart apache without a password prompt.
applicationUser ALL= NOPASSWD: /usr/sbin/apache2
Hi anon, thanks for the comment and the useful link. I didn’t know that sudo is configurable to such an extent.
I understand that the approach you suggested is much better from security stand-point, but in my particular case, I wanted that I should be able to deploy without being prompted for the password for each server. There are only 2 users that exist on the servers — the applicationUser and the root user. So, it was not a problem for us that ALL users would be able to stop/start apache processes.
-Deepak
setuid is VERY bad. It creates a potential security risk. Most utilities, financial institutions and large cmpanies would disallow this method.
You already mention that sudo is available.