You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ron Lee <ro...@googlemail.com> on 2007/08/06 12:21:27 UTC
[users@httpd] Running httpd as root on a Linux machine
Hi all,
I want to perform remote network configuration on a Linux machine via
web interface. I thought that I can use PHP for this purpose. When I
click on a certain button, I want certain configuration scripts
executed on the Linux machine. So far that works fine.
The problem I have is that my configuration scripts need root
privilege to run but the httpd deamon runs as "apache user". Is it
possible to run httpd as root? I know that this is a big security risk
but I still want to do this to meet my project requirements.
Thanks for any help!!
Ron
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Running httpd as root on a Linux machine
Posted by Ron Lee <ro...@googlemail.com>.
Hi all,
Thanks for your suggestions!
Kind regards,
Ron
On 8/6/07, Graham Frank <gf...@neoservers.com> wrote:
> Why not use sudo to execute the commands through Apache? At least then you
> don't leave yourself open to an injected "dd if=/dev/random of=/dev/sda" or
> the likes.
>
> To setup sudo privs, you would need to edit /etc/sudoers and add:
>
> httpd ALL=(ALL) NOPASSWD: /usr/bin/who,/usr/bin/ssh,/usr/bin/lynx
>
> Then to execute the commands in Apache, run "/usr/bin/sudo
> /path/to/command".
>
> Hopefully this will be acceptable (I'm assuming the configuration scripts
> try to execute commands on the server that would require root privs).
>
> ----
> Graham Frank
> Neoservers LLC - Founder and Owner
> Ph: (608) 359-1593
> Member of the Better Business Bureau
>
>
> -----Original Message-----
> From: Ron Lee [mailto:ronberlin@googlemail.com]
> Sent: Monday, August 06, 2007 5:21 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] Running httpd as root on a Linux machine
>
> Hi all,
>
> I want to perform remote network configuration on a Linux machine via
> web interface. I thought that I can use PHP for this purpose. When I
> click on a certain button, I want certain configuration scripts
> executed on the Linux machine. So far that works fine.
>
> The problem I have is that my configuration scripts need root
> privilege to run but the httpd deamon runs as "apache user". Is it
> possible to run httpd as root? I know that this is a big security risk
> but I still want to do this to meet my project requirements.
>
> Thanks for any help!!
>
> Ron
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Running httpd as root on a Linux machine
Posted by Jos Ewert <fl...@flami.net>.
I would make a cronjob that is executed every few minutes , so apache
can still be its own user , you dont need to set anything in sudoers.
It might not be realtime but i think for security its a good solution.
Graham Frank wrote:
> Why not use sudo to execute the commands through Apache? At least then you
> don't leave yourself open to an injected "dd if=/dev/random of=/dev/sda" or
> the likes.
>
> To setup sudo privs, you would need to edit /etc/sudoers and add:
>
> httpd ALL=(ALL) NOPASSWD: /usr/bin/who,/usr/bin/ssh,/usr/bin/lynx
>
> Then to execute the commands in Apache, run "/usr/bin/sudo
> /path/to/command".
>
> Hopefully this will be acceptable (I'm assuming the configuration scripts
> try to execute commands on the server that would require root privs).
>
> ----
> Graham Frank
> Neoservers LLC - Founder and Owner
> Ph: (608) 359-1593
> Member of the Better Business Bureau
>
>
> -----Original Message-----
> From: Ron Lee [mailto:ronberlin@googlemail.com]
> Sent: Monday, August 06, 2007 5:21 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] Running httpd as root on a Linux machine
>
> Hi all,
>
> I want to perform remote network configuration on a Linux machine via
> web interface. I thought that I can use PHP for this purpose. When I
> click on a certain button, I want certain configuration scripts
> executed on the Linux machine. So far that works fine.
>
> The problem I have is that my configuration scripts need root
> privilege to run but the httpd deamon runs as "apache user". Is it
> possible to run httpd as root? I know that this is a big security risk
> but I still want to do this to meet my project requirements.
>
> Thanks for any help!!
>
> Ron
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Running httpd as root on a Linux machine
Posted by Graham Frank <gf...@neoservers.com>.
Why not use sudo to execute the commands through Apache? At least then you
don't leave yourself open to an injected "dd if=/dev/random of=/dev/sda" or
the likes.
To setup sudo privs, you would need to edit /etc/sudoers and add:
httpd ALL=(ALL) NOPASSWD: /usr/bin/who,/usr/bin/ssh,/usr/bin/lynx
Then to execute the commands in Apache, run "/usr/bin/sudo
/path/to/command".
Hopefully this will be acceptable (I'm assuming the configuration scripts
try to execute commands on the server that would require root privs).
----
Graham Frank
Neoservers LLC - Founder and Owner
Ph: (608) 359-1593
Member of the Better Business Bureau
-----Original Message-----
From: Ron Lee [mailto:ronberlin@googlemail.com]
Sent: Monday, August 06, 2007 5:21 AM
To: users@httpd.apache.org
Subject: [users@httpd] Running httpd as root on a Linux machine
Hi all,
I want to perform remote network configuration on a Linux machine via
web interface. I thought that I can use PHP for this purpose. When I
click on a certain button, I want certain configuration scripts
executed on the Linux machine. So far that works fine.
The problem I have is that my configuration scripts need root
privilege to run but the httpd deamon runs as "apache user". Is it
possible to run httpd as root? I know that this is a big security risk
but I still want to do this to meet my project requirements.
Thanks for any help!!
Ron
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Running httpd as root on a Linux machine
Posted by lists <li...@jaqui-greenlees.net>.
Ron Lee wrote:
> Hi all,
>
> I want to perform remote network configuration on a Linux machine via
> web interface. I thought that I can use PHP for this purpose. When I
> click on a certain button, I want certain configuration scripts
> executed on the Linux machine. So far that works fine.
webmin won't meet your needs? most distros offer it as an option
in the package manager, it usually uses an embedded https engine
this way and would need to be configured to allow from outside the
localhost. Or the scripts can be downloaded and installed into apache's
document root tree.
~snip~
Is it possible to run httpd as root?
yes, set the user and group in httpd.conf to root then restart the server.
I know that this is a big security risk
> but I still want to do this to meet my project requirements.
>
> Thanks for any help!!
>
> Ron
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org