You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Gary W. Smith" <ga...@primeexalia.com> on 2006/08/29 17:45:18 UTC
[users@httpd] suicidal suexec question.
I've been assigned to create a port listener to do some administrative
tasks on some of our local servers. We have a web console application
that basically writes some data to a file and a cronjob picks it up.
That doesn't seem to be fast enough for what we need. So it has been
deemed that we need to write an application that will listened for
requests from our apache pages. Many these tasks need to be executed as
root.
Our ideas include running ssh on the local loopback with pub/priv key.
This can have some drawbacks as some commands are chained. Instead of
writing a special port listener to do this work I was thinking that I
could compile a second copy of apache and run it on a different local
port (ex. 127.0.0.1:9000) and run the apps there under suexec privileges
for root.
I'm really looking for some ideas for the best approach and some
pointers on how to implement it.
Gary Wayne Smith
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] suicidal suexec question.
Posted by "Gary W. Smith" <ga...@primeexalia.com>.
Sounds reasonable. Thanks for the info. I will start playing and see
what I come up with now.
Gary Wayne Smith
> Sounds fine to me. I'd probably go with a separate install, just so
> that you can strip the second apache down to the absolute minimum
> modules. (You could do the same with one install if you use
> dynamically-loaded modules, but it is a little less clean.)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suicidal suexec question.
Posted by Joshua Slive <jo...@slive.ca>.
On 8/29/06, Gary W. Smith <ga...@primeexalia.com> wrote:
> Joshua,
>
> Let me pass this pseudo logic by you.
>
> * Create a dedicated user (say suapache:suapache/no shell/no homedir).
> * Add that user to the sudo privileges file (with access the dedicated
> list of apps they can execute with nopass set and only localhost as
> access).
> * Create another instance of Apache running on a different port running
> with the new user (suapache) on 127.0.0.1.
>
> From reading the sudoers sample page this seems to fit what I want to
> do. Does this logic seem appropriate?
>
> My next question about the Apache instance. I can either do one of two
> things, create a completely separate instance of apache from source or
> use the existing runtime with a separate configuration file. I am
> familiar with the first (as we have run two separate instances before)
> but I don't have any experience running two instances with distinct
> configuration files.
>
> Which would you suggest?
Sounds fine to me. I'd probably go with a separate install, just so
that you can strip the second apache down to the absolute minimum
modules. (You could do the same with one install if you use
dynamically-loaded modules, but it is a little less clean.)
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] suicidal suexec question.
Posted by "Gary W. Smith" <ga...@primeexalia.com>.
Joshua,
Let me pass this pseudo logic by you.
* Create a dedicated user (say suapache:suapache/no shell/no homedir).
* Add that user to the sudo privileges file (with access the dedicated
list of apps they can execute with nopass set and only localhost as
access).
* Create another instance of Apache running on a different port running
with the new user (suapache) on 127.0.0.1.
>From reading the sudoers sample page this seems to fit what I want to
do. Does this logic seem appropriate?
My next question about the Apache instance. I can either do one of two
things, create a completely separate instance of apache from source or
use the existing runtime with a separate configuration file. I am
familiar with the first (as we have run two separate instances before)
but I don't have any experience running two instances with distinct
configuration files.
Which would you suggest?
Gary Wayne Smith
> -----Original Message-----
> From: jslive@gmail.com [mailto:jslive@gmail.com] On Behalf Of Joshua
Slive
> Sent: Tuesday, August 29, 2006 8:51 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] suicidal suexec question.
>
> Google for sudo, which is the canonical tool for these types of
> problems. Suexec will not run stuff as root unless you hack it.
>
> Running a separate daemon on a different port is a good idea with
> sudo, since it will allow you to isolate these requests under a
> different account and very-specific permissions.
>
> Joshua.
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suicidal suexec question.
Posted by Joshua Slive <jo...@slive.ca>.
On 8/29/06, Gary W. Smith <ga...@primeexalia.com> wrote:
>
>
> I've been assigned to create a port listener to do some administrative
> tasks on some of our local servers. We have a web console application
> that basically writes some data to a file and a cronjob picks it up.
> That doesn't seem to be fast enough for what we need. So it has been
> deemed that we need to write an application that will listened for
> requests from our apache pages. Many these tasks need to be executed as
> root.
>
> Our ideas include running ssh on the local loopback with pub/priv key.
> This can have some drawbacks as some commands are chained. Instead of
> writing a special port listener to do this work I was thinking that I
> could compile a second copy of apache and run it on a different local
> port (ex. 127.0.0.1:9000) and run the apps there under suexec privileges
> for root.
>
> I'm really looking for some ideas for the best approach and some
> pointers on how to implement it.
Google for sudo, which is the canonical tool for these types of
problems. Suexec will not run stuff as root unless you hack it.
Running a separate daemon on a different port is a good idea with
sudo, since it will allow you to isolate these requests under a
different account and very-specific permissions.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org