How to allow non-root user to start/stop Apache process on a *nix server

13 / May / 2010 by Deepak Mittal 5 comments

Recently, I had to write a script to deploy a Grails application on a cluster of 7 servers without prompting for any kind of passwords. The load balancer was configured so as NOT to direct any request to the node, if the Apache process is not running on the server.

So, my script to do the deployment on all the servers one by one is very simple — (a) stop Apache (b) deploy new version of the app on Tomcat using deploy.sh script lying on the server (c)  start Apache

SERVER_IPS="10.20.30.40 10.20.30.41 10.20.30.42"
for i in `echo $SERVER_IPS`
do
     echo "Deploying on Web Host $i"
     ssh applicationUser@$i "cd; apache2ctl stop; ./deploy.sh; sleep 30; apache2ctl start"
done

The only hiccup is that the applicationUser does not have rights to start/stop Apache.  After looking around for a while, I came to know about setuid which allow users to run an executable with the permissions of the executable’s owner or group.

So, all I had to do in order to allow  applicationUser to bounce apache process is :

sudo u+s /usr/sbin/apache2
sudo u+s /usr/sbin/apache2ctl

I also had to set the trusted relationship between the production servers and my machine in order to allow password-less SSH login.

After I did the above steps, I could deploy my application to all nodes in the cluster with a single command.

-Deepak

FOUND THIS USEFUL? SHARE IT

comments (5)

  1. Jon

    Thanks for this blog post. I’m using Alpine in an environment where security does not matter, so this was preferable to getting sudoers working. Good work!

    Reply
  2. david

    why do so many idiots on the internet keep saying you can edit the sudoers file? i tried that and the thing that happens next is you temporarily have automatic access to sudo anything you want.

    Reply
  3. Ivan

    You can edit the sudoers file, allowing the applicationUser to restart apache without a password prompt.

    applicationUser ALL= NOPASSWD: /usr/sbin/apache2

    Reply
  4. dmittal

    Hi anon, thanks for the comment and the useful link. I didn’t know that sudo is configurable to such an extent.

    I understand that the approach you suggested is much better from security stand-point, but in my particular case, I wanted that I should be able to deploy without being prompted for the password for each server. There are only 2 users that exist on the servers — the applicationUser and the root user. So, it was not a problem for us that ALL users would be able to stop/start apache processes.

    -Deepak

    Reply
  5. anon

    setuid is VERY bad. It creates a potential security risk. Most utilities, financial institutions and large cmpanies would disallow this method.

    You already mention that sudo is available.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *