Limit user to only restarting Apache

Q My web developer has been granted access to FTP and SSH into a dedicated server that we are renting. He can upload pages and manage MySQL together with an Apache include file for the server's site-specific configurations. Since our company's security policies dictate that we cannot disclose the root password to a contractor, we are being called by the developer to restart Apache a number of times a day, which is not ideal. What do you recommend?

A If you are running Webmin you will be able to create a user that is restricted to doing nothing but stopping and starting Apache. First, create a new user through Webmin > Webmin Users and select Apache Webserver. Click on the Apache Webserver link to restrict access specifically to whichever aspects of Apache administration the contractor needs. Alternatively, if command line access is preferred, Sudo becomes the way to go. It is likely that a copy of Sudo (www.sudo.ws) came preinstalled with your distribution. The sudo command allows certain users or groups to execute a number of commands as root or otherwise specified. The configuration file /etc/sudoers, editable through visudo as root, defines who can do what as who. The configuration itself can be a bit daunting, and time spent reading the man pages is time well spent. Here is a simplified configuration that can be used to allow user webman' to execute the Apache and MySQL startup files. The user will also be able to kill, as user 'apache', any renegade process belonging to user 'apache':

Cmnd_Alias       HTTPD = /etc/rc.d/init.d/httpd
Cmnd_Alias       MYSQLD = /etc/rc.d/init.d/mysqld
Cmnd_Alias       KILL = /bin/kill
webman           ALL = (root)
NOPASSWD: HTTPD, MYSQLD
webman           ALL = (apache)
NOPASSWD: KILL
Usage:
$ sudo /etc/rc.d/etc/httpd stop
$ sudo -u apache kill 9982
$ sudo /etc/rc.d/etc/mysqld restart

This should set you straight.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar