• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Is there a way to give another user access to restart a certain service?

Red Squirrel

Red Squirrel

No Lifer
I have a basic web based tool on my local server that allows me to easily edit spam rules. I was thinking, it would be nice to make it restart the spamassassin service so I don't have to go in as root and do it manually. The script is running under the user apache. Now in a normal circumstance where it's shared hosting I know this would be a really bad idea, but this is just a home server that nobody else accesses.

So how would I go about doing that, other than running apache as root?
 
maybe with sudo? i want to say you should be able to set up the sudoers file to let apache(or $user) do just one thing, like restart a service, and not require a password to do it.
 
sudo is what you would do, but you have to be very careful with what you allow because apache will be running that command as root so if it's too lax and an attacker figures out that's there he might be able to get apache to give him a root shell or at least run something else as root that you don't want.
 
xSauronx said:
maybe with sudo? i want to say you should be able to set up the sudoers file to let apache(or $user) do just one thing, like restart a service, and not require a password to do it.
Click to expand...

sudoers edit will do what you want.
I recently setup a new Ubuntu 11.04 system for my wife, and I found that her user could not automatically mount a remote (music) share. I put the "smbmount" command with her user id in the sudoers file, and it works great.
 
I'll try sudo and see, though I figured that prompted for a password. Or is there a config file somewhere I can edit? I think I recall something like that.
 
I know what sudo does and I know there's a -p to input the password so it can be automated, but I am hoping for something slightly more secure than having a clear text password somewhere. But guess it does not really matter as this whole idea is insecure anyway...

Come to think of it, the best way is to probably have my script write a file, and have a background script running as root and when it sees that file, then it restarts the service. If this was a shared server then I'd want something more secure so not just anybody can restart a service at random, but for this it will do.
 
I know what sudo does and I know there's a -p to input the password so it can be automated, but I am hoping for something slightly more secure than having a clear text password somewhere. But guess it does not really matter as this whole idea is insecure anyway...

Come to think of it, the best way is to probably have my script write a file, and have a background script running as root and when it sees that file, then it restarts the service. If this was a shared server then I'd want something more secure so not just anybody can restart a service at random, but for this it will do.
 
Red Squirrel said:
I know what sudo does and I know there's a -p to input the password so it can be automated, but I am hoping for something slightly more secure than having a clear text password somewhere. But guess it does not really matter as this whole idea is insecure anyway...

Come to think of it, the best way is to probably have my script write a file, and have a background script running as root and when it sees that file, then it restarts the service. If this was a shared server then I'd want something more secure so not just anybody can restart a service at random, but for this it will do.
Click to expand...

The cron script could work but would mean there's a delay between when you write the file and the restart actually happens. If the delay is acceptable then that's fine, but means you can't just click apply and have it happen immediately.

The best way would be to use he NOPASSWD option, like the documentation for the sudoers file talks about...
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top