user with special prevligies ... !

Taking care of your Linux box.
mrkkhattak
Site Admin
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

user with special prevligies ... !

Postby mrkkhattak » Mon Sep 02, 2002 2:23 pm

Assalamualaikum,

how could i create user with some special prevligies
(i.e only by defining its group as a root will he
have access to some certain areas or not)?

i want to create a user who could edit/remove changes
to apache...

beside that can anybody explain me or give me a link
or a book name, which could give me indepth info
regarding user administration ?

mahin
Major
Posts: 605
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

user with special prevligies ... !

Postby mahin » Mon Sep 02, 2002 5:45 pm

If you want you can borrow Linux System Administration by M.Carling/Stephen Degler/James Dennis not the best but good.

mrkkhattak
Site Admin
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

Postby mrkkhattak » Tue Sep 03, 2002 10:30 am

Thank You ... !

Guest

..

Postby Guest » Sat Oct 12, 2002 10:49 pm


Guest

Postby Guest » Sat Oct 12, 2002 11:18 pm


newbie
Company Havaldaar Major
Posts: 156
Joined: Thu Aug 08, 2002 4:18 am
Location: lahore
Contact:

Postby newbie » Sat Oct 12, 2002 11:41 pm


AsadR
Lance Naik
Posts: 36
Joined: Sat Sep 14, 2002 11:27 am
Location: Khi.pk
Contact:

non-root admin.

Postby AsadR » Sat Oct 12, 2002 11:44 pm

Another way would be for you to create a new user (new uid and gid) and configure the apache configuration file to be writable by the new user/group. A small SUID script (executable only by the new user/group) could be used to send the Apache Daemon SIGHUP or to call "apachectl" to restart Apache to reload the configuration file.

Basically all you have to do is make sure the permissions on the Apache configuration files are such that they are readable by Apache itself, and writable by the user/group you've created, and no one else. To make the apache daemon reload it's configuration file, you need to run something like "apachectl restart" as root.
I strongly feel that you shouldn't make apachectl directly SUID, but instead to use a small intermediary script that has the SUID flag set. This is more secure as it will be small and simple, and can be configured to be run by only the specified user/group.

hope that wasn't too complicated :)

Asad

"...sudo is just plain stupid..."

fawad
Site Admin
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
Location: Addison, IL
Contact:

Postby fawad » Sun Oct 13, 2002 8:03 am

I agree with asad's suggestion. That'll probably be the most straightforward, and will probably be most secure. However, if the operator manages to screw up the httpd.conf and apache dies, he won't be able to start it up without root privileges. Putting /etc/init.d/httpd into the sudo permissions for that group will probably take care of that. It might be a good idea to look into running apache on port >1024 and using port forwarding into that port. That way, you can run the server as a non root user and delegate privileges as you see fit.

mrkkhattak
Site Admin
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

Postby mrkkhattak » Mon Oct 14, 2002 11:35 am

thanks for all ur help ... i posted this message on 2 september, the problem i had, has been solved :-) but these tips did increase my knowledge ... !

AsadR
Lance Naik
Posts: 36
Joined: Sat Sep 14, 2002 11:27 am
Location: Khi.pk
Contact:

Postby AsadR » Tue Oct 15, 2002 4:01 pm


mrkkhattak
Site Admin
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

Postby mrkkhattak » Wed Oct 16, 2002 2:55 pm

oh... NO it is okay ! i keep checking this thread, it DOES increase my knowledge ... as i don't know that much about adminstration !

i will surely try writing this script, but now a days a lot of stuff is in pipeline, so i won't be able to give it a try ... !

InshAllah once i try this, i know i would have problems & i would come again to this thread ... :lol:

fawad
Site Admin
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
Location: Addison, IL
Contact:

Postby fawad » Thu Oct 17, 2002 12:26 am

i think by 'script' asad meant a wrapper c app. Cause AFAIK, shell scripts cannot be suid on linux (due to race conditions).

mrkkhattak
Site Admin
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

Postby mrkkhattak » Thu Oct 17, 2002 10:51 am

:-( i didn't know that, i thought that i will have to write my own shell script. so can u pls define a little more "wrapper c app" (with examples of scripts) ... i don't have any idea about that ... !

AsadR
Lance Naik
Posts: 36
Joined: Sat Sep 14, 2002 11:27 am
Location: Khi.pk
Contact:

Postby AsadR » Thu Oct 17, 2002 4:23 pm



Return to “Administration”

Who is online

Users browsing this forum: No registered users and 2 guests