WebFaction
Community site: login faq

I want a developer of my team to deploy the latest app to server and restart apache. I have set up the ssh accounts and given necessary perms as given in the docs. But my developer cannot restart apache. How can I do this ?

asked 21 Jun '13, 11:19

ajumell
112
accept rate: 0%


As you've noticed, one user cannot restart another user's processes.

The workaround is to create a setuid binary that executes the restart command as your main user, and then give your extra SSH user execute permission on the binary. Here's how:

First, create a small C program like this, replacing the paths with those appropriate for your username and application:

#include <stddef.h>
#include <stdlib.h>
#include <unistd.h>

char *env[] = {"LD_LIBRARY_PATH=/home/username/webapps/django/apache2/lib", NULL};

int main(void) {
        execle("/home/username/webapps/django/apache2/bin/httpd.worker",
               "/home/username/webapps/django/apache2/bin/httpd.worker",
               "-f", "/home/username/webapps/django/apache2/conf/httpd.conf",
               "-k", "restart" ,
               (const char *) NULL,
               env);
        return(EXIT_FAILURE);
}

Save that as "restart_django.c" (for example) and then compile it:

gcc restart_django.c -o ~/bin/restart_django

Remove execute permission for "other" from ~/bin/restart_django:

chmod o-x ~/bin/restart_django

Flip the setuid bit on ~/bin/restart_django:

chmod +s ~/bin/restart_django

Finally, give your extra user (I'll call him "bob") permission to execute ~/bin/restart_django:

setfacl -m u:bob:--x ~ ~/bin ~/bin/restart_django

Once you've done that, "bob" can run "/home/username/bin/restart_django" to restart your Apache instance, and your main user ("username") will retain ownership of the processes.

Hope that helps!

permanent link

answered 21 Jun '13, 13:09

seanf
12.2k41836
accept rate: 37%

edited 21 Jun '13, 13:13

IS there a python or shell alternative to this, So that I can customize the script easily.

(21 Jun '13, 23:32) ajumell

This has to be done with a compiled language because Unix-based systems generally do not allow setting the setuid bit on scripts using "#!" interpreters. It is a security mechanism.

(22 Jun '13, 02:30) waynek
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×225
×24
×14
×3

question asked: 21 Jun '13, 11:19

question was seen: 2,307 times

last updated: 26 Jun '13, 12:29

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM