httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "@lbutlr" <krem...@kreme.com>
Subject Re: [users@httpd] Recommended best practices or guides
Date Wed, 30 Sep 2020 15:11:37 GMT
On 29 Sep 2020, at 08:33, Niranjan Rao <nhrdls@gmail.com> wrote:
> We have a need to allow certain group of people to perform operations such as start/stop/reload
etc. Traditionally these operations are performed using sudo command e.g. sudo service apache2
start. These people don't need full sudo permissions. All they need is apache related permissions.
We can tinker with an entry in sudoers.d and grant required permissions - but permissions
need to be granted to "service" command

Write a command (a simple shell script) that executes the command you want to allow, for example,
/usr/local/bin/starta2 => "sudo apache2 start" and grant the user access to that script
in the shudders file.

Repeat with other commands.

Make sure the script(s) is owned by root and has permissions 0700.

> Are there any recommended best practices or guides to allow these kinds of granular permissions?
My searches so far has revealed commands using sudo.

Sudo is the way to do this, but to restrict specific commands to specific options, you have
to to a little two-step.

I do something like this to allow an unprivilegeduser to start rsnapshot.



-- 
"He uses statistics as a drunken man uses lamp-posts... for support
	rather than illumination." - Andrew Lang (1844-1912)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message