Making Apache to 'reload' its configuration
This is a discussion on Making Apache to 'reload' its configuration within the Apache Web Server forums, part of the Web Server and Related Forums category; Toby Inkster wrote: > Aaron Gray wrote: >> "Toby Inkster" <usenet200701@tobyinkster.co.uk> wrote ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-19-2007
|
|||
|
|||
Re: Making Apache to 'reload' its configuration
Toby Inkster wrote:
> Aaron Gray wrote: >> "Toby Inkster" <usenet200701@tobyinkster.co.uk> wrote in message >> news:bs7484-dcj.ln1@ophelia.g5n.co.uk... >> >>> That having been said, look at "sudo". >> >> No that requires a password to be entered. > > You seem to be getting confused with "su". "sudo" can be set up for > regular users to run stuff as root *without* passwords. Indeed, that's > kind of the point of it. But still... you do not want to give apache sudo rights. I would LOVE to add a few PHP scripts of my own to that server. No, not really because I am a good guy. :P But maybe, if the server is totally dedicated to this job, and no others can use that apache, it is doable. But not really recommended. I would say: don't. Regards, Erwin Moller |
|
01-19-2007
|
|||
|
|||
|
Re: Making Apache to 'reload' its configuration
Erwin Moller wrote:
> Toby Inkster wrote: > >> Aaron Gray wrote: >>> "Toby Inkster" <usenet200701@tobyinkster.co.uk> wrote in message >>> news:bs7484-dcj.ln1@ophelia.g5n.co.uk... >>> >>>> That having been said, look at "sudo". >>> No that requires a password to be entered. >> You seem to be getting confused with "su". "sudo" can be set up for >> regular users to run stuff as root *without* passwords. Indeed, that's >> kind of the point of it. > > But still... you do not want to give apache sudo rights. I would LOVE to add > a few PHP scripts of my own to that server. No, not really because I am a > good guy. :P > > But maybe, if the server is totally dedicated to this job, and no others can > use that apache, it is doable. But not really recommended. > I would say: don't. > Sudo can be configured to give individual users access to only one or a limited set of commands. You could create a script written for the explicit purpose needed that is not writable by other than root and then give apache sudo privileges to run that specific script. Just a thought. Jim |
|
01-19-2007
|
|||
|
|||
|
Re: Making Apache to 'reload' its configuration
"Erwin Moller"
<since_humans_read_this_I_am_spammed_too_much@spam yourself.com> wrote in message news:45b0964b$0$330$e4fe514c@news.xs4all.nl... > Colin McKinnon wrote: > >> Aaron Gray wrote: >> >>> "Toby Inkster" <usenet200701@tobyinkster.co.uk> wrote in message >>> news:bs7484-dcj.ln1@ophelia.g5n.co.uk... >>>> Aaron Gray wrote: >>>> >>>>> The signal in the shell script works fine from root but will not work >>>>> when >>>>> called from PHP. >>>> >>>> As Jerry indicated, you are probably trying to fix the wrong problem. >>>> If >>>> we knew *why* you were trying to do this, then we might be able to tell >>>> you an alternative to reloading Apache in the first place. >>> >>> Okay, I am working on putting to gether a server administration program >>> thats written in PHP and runs in Apache. It needs to reload the >>> configuration after adding, removing, or modifying the virtual web sites >>> Apache is serving. >>> >>> The only simple way I can think of is to do a reload every 10 minutes or >>> every hour, as a cron job, or so. >> >> You are writing a server administration program but you don't know how >> permissions work. Am I the only one to feel a bit worried at this point? > > No Colin, you are not alone. ;-) > I think a security audit may be in place after the project is delivered. Yes. I am not sure over this either. Other server admin software ie ISPConfig uses a separate instillation of Apache only running the admin software, and WebMin uses a Perl based http server running as root. As my main remit is to provide a community web server administration system and allowing for the fact of needing to run other PHP scripts this is indeed a problem. I am biased towards using either a separate instillation of Apache running with extra permissions or doing a Perl based solution. Any other solutions are welcome; if there are any. Thanks for your critisism, Aaron |
|
01-19-2007
|
|||
|
|||
|
Re: Making Apache to 'reload' its configuration
"Erwin Moller"
<since_humans_read_this_I_am_spammed_too_much@spam yourself.com> wrote in message news:45b0964b$0$330$e4fe514c@news.xs4all.nl... > Colin McKinnon wrote: > >> Aaron Gray wrote: >> >>> "Toby Inkster" <usenet200701@tobyinkster.co.uk> wrote in message >>> news:bs7484-dcj.ln1@ophelia.g5n.co.uk... >>>> Aaron Gray wrote: >>>> >>>>> The signal in the shell script works fine from root but will not work >>>>> when >>>>> called from PHP. >>>> >>>> As Jerry indicated, you are probably trying to fix the wrong problem. >>>> If >>>> we knew *why* you were trying to do this, then we might be able to tell >>>> you an alternative to reloading Apache in the first place. >>> >>> Okay, I am working on putting to gether a server administration program >>> thats written in PHP and runs in Apache. It needs to reload the >>> configuration after adding, removing, or modifying the virtual web sites >>> Apache is serving. >>> >>> The only simple way I can think of is to do a reload every 10 minutes or >>> every hour, as a cron job, or so. >> >> You are writing a server administration program but you don't know how >> permissions work. Am I the only one to feel a bit worried at this point? > > No Colin, you are not alone. ;-) > I think a security audit may be in place after the project is delivered. Yes. I am not sure over this either. Other server admin software ie ISPConfig uses a separate instillation of Apache only running the admin software, and WebMin uses a Perl based http server running as root. As my main remit is to provide a community web server administration system and allowing for the fact of needing to run other PHP scripts this is indeed a problem. I am biased towards using either a separate instillation of Apache running with extra permissions or doing a Perl based solution. Any other solutions are welcome; if there are any. Thanks for your critisism, Aaron |
|
01-19-2007
|
|||
|
|||
|
Re: Making Apache to 'reload' its configuration
>> I think a security audit may be in place after the project is delivered.
> > Yes. I am not sure over this either. Other server admin software ie > ISPConfig uses a separate instillation of Apache only running the admin > software, and WebMin uses a Perl based http server running as root. > > As my main remit is to provide a community web server administration > system > and allowing for the fact of needing to run other PHP scripts this is > indeed > a problem. > > I am biased towards using either a separate instillation of Apache running > with extra permissions or doing a Perl based solution. > > Any other solutions are welcome; if there are any. The only partial solution I can come up with is coding a new command to use instead of 'kill' that will only send a SIGHUP to a HTTPD process. This would still allow rouge web sites to DoS Apache with reloads, but thats about all. I think this is a good compromise and will probably be adopting this as a solution for the time being. The PHP Apache and ProFTPd configuration code will still be vailid either using HTTPD SIGHUP solution or with a second root instance of Apache ala. ISPConfig. Feedback most welcome. Aaron |
Linear Mode
