Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Users
Recommended best practices or guides
nhrdls at gmail
Sep 29, 2020, 7:33 AM
Post #1 of 3 (215 views)
Permalink
Greeting,


On Ubuntu 18.04, Apache version 2.4.29, all packages installed from
standard repositories and no customization.


We have a need to allow certain group of people to perform operations
such as start/stop/reload etc. Traditionally these operations are
performed using sudo command e.g. sudo service apache2 start. These
people don't need full sudo permissions. All they need is apache related
permissions. We can tinker with an entry in sudoers.d and grant required
permissions - but permissions need to be granted to "service" command


Root problem I am trying to solve is dynamically managing instance from
Amazon ec2 and adding/removing it from traffic. Right now we have a list
of balancer members and this list needs to managed. This is QA related
activity where we start/stop instance as per need using bunch of
scripts. Since IP address keeps changing, we have to manage balancer
configuration. We have not yet got around automating balancer manager
operations and looking for easier way out.


Are there any recommended best practices or guides to allow these kinds
of granular permissions? My searches so far has revealed commands using
sudo.


Regards,


Niranjan


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Recommended best practices or guides [ In reply to ]
drescher at inter
Sep 29, 2020, 7:47 AM
Post #2 of 3 (215 views)
Permalink
On 29.09.20 16:33, Niranjan Rao wrote:
> Greeting,
[...]
> Are there any recommended best practices or guides to allow these kinds of granular permissions? My searches so far has revealed commands using sudo.
>
>
> Regards,
>
>
> Niranjan

Unfortunately sudo supports no regular expressions. However, with wildcards, which does work in a sudoers file, you can construct almost any command you may need. It will not look pretty, but it will work.
Use the Cmnd_Alias, avoid Asterisk!

--

Martin

Attached Files:

Re: Recommended best practices or guides [ In reply to ]
kremels at kreme
Sep 30, 2020, 8:11 AM
Post #3 of 3 (212 views)
Permalink
On 29 Sep 2020, at 08:33, Niranjan Rao <nhrdls@gmail.com> wrote:
> We have a need to allow certain group of people to perform operations such as start/stop/reload etc. Traditionally these operations are performed using sudo command e.g. sudo service apache2 start. These people don't need full sudo permissions. All they need is apache related permissions. We can tinker with an entry in sudoers.d and grant required permissions - but permissions need to be granted to "service" command

Write a command (a simple shell script) that executes the command you want to allow, for example, /usr/local/bin/starta2 => "sudo apache2 start" and grant the user access to that script in the shudders file.

Repeat with other commands.

Make sure the script(s) is owned by root and has permissions 0700.

> Are there any recommended best practices or guides to allow these kinds of granular permissions? My searches so far has revealed commands using sudo.

Sudo is the way to do this, but to restrict specific commands to specific options, you have to to a little two-step.

I do something like this to allow an unprivilegeduser to start rsnapshot.



--
"He uses statistics as a drunken man uses lamp-posts... for support
rather than illumination." - Andrew Lang (1844-1912)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal