I'd like to know if it is possible for non-root user on linux (i'm using openSUSE) to run apache without using sudo command. Take into account that the user is in the same group as apache (wwwrun).
Thanks in advance.
views:
741answers:
6
A:
The two problems I can think of that you need to overcome are:
Permissions on log files - these may well be already set to allow wwwrun to access them, but its often an issue.
Non root user accessing a privileged port (80) - not sure if/how you can change this.
benlumley
2009-02-08 13:09:23
+4
A:
You can run Apache as any user. Just make sure that it is set up to only use allowed resources (directories, files and most importantly listening on a non privileged port).
To have it appear on HTTP’s standard port 80 (which is priviledged) you will have to setup, as root a redirection to your real Apache server. The easiest way is probably using iptables. For example if your Apache server is listening on port 8080:
iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -j REDIRECT --to-port 8080
If you can not configure the server like this (or have your sysadmin do that once for all) you will have to use a non privileged port (something like Listen 8080) and access it using an URL that looks like http://www.example.com:8080/
kmkaplan
2009-02-08 13:16:12
The problem is I cannot become root, so I'm looking for a way how to overcome everything that needs to be done as root. But thanks for your answer.
perfectDay
2009-02-08 22:49:21
A:
I think you should be able to do this by granting execute access to the group owning the Apache control program (e.g., "chmod g+x apachectl"). If this is doesn't work by itself try also setting the owner SUID bit on the program (something along the lines of "chmod u+s apachectl").
The first step allows users in your wwwrun group to execute the apachectl program. The second step makes it so that when the group runs the program, it runs with the program owners privileges.
Let me know if this works, I'm a little rusty with file execution SUID, but I can help look into it further if you still have problems.
Be sure you understand the consequences of setting the SUID bit before you do this though.
Jack Leow
2009-02-08 13:17:33
+3
A:
Short answer: No
The reason for it is that only root can bind ports below 1024.
Long answer: check out http://www.debian-administration.org/articles/386
Once you overcome the problem with the ports, I don't think there will be any more trouble. Just remember that the user that apache runs under need to have write-access to the log files and maybe some other files as well.
However, if you run it without sudo, the spawner will probably not be able to change the user, so apache will be being run as the user starting it, instead of the apache user.
But what is the reason you don't want to run sudo? It is only the spawner process that is being run as root, the rest of them are being run under the apache user.
Jimmy Stenke
2009-02-08 13:18:18
+2
A:
The problems pointed out above by benlumley, i.e. log files and reserved ports, can easily be overcome by configuring the log directory and port in your httpd.conf.
Rob Wells
2009-02-08 13:40:03
There is no way around privilegied port access limitations without privileged acces.
kmkaplan
2009-02-08 23:11:53
"Configuring the... port in your httpd.conf" is a way around privileged port access limitations, as you can choose a non-privileged port to listen on.
Dave Sherohman
2009-02-08 23:21:29