How to allow non-root user to start/stop Apache process on a *nix server « Intelligrape Groovy & Grails Blogs

How to allow non-root user to start/stop Apache process on a *nix server

Posted by Deepak Mittal

Recently, I had to write a script to deploy a Grails application on a cluster of 7 servers without prompting for any kind of passwords. The load balancer was configured so as NOT to direct any request to the node, if the Apache process is not running on the server.

So, my script to do the deployment on all the servers one by one is very simple — (a) stop Apache (b) deploy new version of the app on Tomcat using deploy.sh script lying on the server (c)  start Apache

SERVER_IPS="10.20.30.40 10.20.30.41 10.20.30.42"
for i in `echo $SERVER_IPS`
do
     echo "Deploying on Web Host $i"
     ssh applicationUser@$i "cd; apache2ctl stop; ./deploy.sh; sleep 30; apache2ctl start"
done

The only hiccup is that the applicationUser does not have rights to start/stop Apache.  After looking around for a while, I came to know about setuid which allow users to run an executable with the permissions of the executable’s owner or group.

So, all I had to do in order to allow  applicationUser to bounce apache process is :

sudo u+s /usr/sbin/apache2
sudo u+s /usr/sbin/apache2ctl

I also had to set the trusted relationship between the production servers and my machine in order to allow password-less SSH login.

After I did the above steps, I could deploy my application to all nodes in the cluster with a single command.

-Deepak

  • Share/Bookmark
This entry was posted on May 13th, 2010 at 11:19 am and is filed under Linux, System . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “How to allow non-root user to start/stop Apache process on a *nix server”

  1. anon says:
    May 14, 2010 at 4:15 am

    setuid is VERY bad. It creates a potential security risk. Most utilities, financial institutions and large cmpanies would disallow this method.

    You already mention that sudo is available. This sort of thing is MUCH, much better:

    http://www.cyberciti.biz/faq/use-sudo-or-sudoers-to-start-stop-restart-apache/

  2. dmittal says:
    May 14, 2010 at 11:53 am

    Hi anon, thanks for the comment and the useful link. I didn’t know that sudo is configurable to such an extent.

    I understand that the approach you suggested is much better from security stand-point, but in my particular case, I wanted that I should be able to deploy without being prompted for the password for each server. There are only 2 users that exist on the servers — the applicationUser and the root user. So, it was not a problem for us that ALL users would be able to stop/start apache processes.

    -Deepak

  3. Ivan says:
    August 13, 2010 at 11:45 pm

    You can edit the sudoers file, allowing the applicationUser to restart apache without a password prompt.

    applicationUser ALL= NOPASSWD: /usr/sbin/apache2

  4. Premium Accounts says:
    December 9, 2011 at 1:14 pm

    Premium Accounts…

    [...]How to allow non-root user to start/stop Apache process on a *nix server « Intelligrape Groovy & Grails Blogs[...]…

Leave a Reply