I asked how to allow a currently running unprivileged user process
to start/stop webservers on port 80 (at least, after some
clarification that's what I asked! %;^)
I got several quick responses, thanks to all who replied.
* Ken McCoy mentioned a utility called "runas", at:
http://metagame.org/runas/
* Chris Ford and others suggested putting the monitoring
script in root's crontab.
* Oisin McGuinness had an interesting way to do this
from inetd.conf:
------------------------------------------------------------------
Here is a trick (which we use for slightly different purposes):
For port 80 (say defined as http in /etc/services), define
a line in /etc/inetd.conf which looks something like this:
http stream tcp wait root /usr/etc/tcp_relay tcp_relay localhost 8080
where tcp_relay is a program (there are Perl versions of programs
like this, we have a simple (154 line) C version, "hook") which
accepts a host name and port as arguments, and just copies
everything back and forth from the input socket which inetd hands it
to the localhost:8080 port. (We put such programs in /usr/etc, since
that's what Ultrix used for network daemons; remember Ultrix?)
Then your users can run a server on the unprivileged port,
as any convenient user, and can restart it all by themselves;
the point is that tcp_relay will be so simple so as not to
cause any problems; any lack of response at port 80 can 99.9999%
be attributable to problems at the user program level.
A variant of this technique, if you can't find a tcp_relay program
you are happy with, is to run an extremely stripped down Apache
configured as a proxy server on port 80, which relays/proxies to
the Apache/Squid/whatever process on the high user controllable port.
This would avoid what some people perceive as the overhead of inetd.conf
run daemons.
------------------------------------------------------------
What we finally went with, after Bob Sloane managed to get
me to understand it, was an evidently little-known "NOPASSWD"
option in sudoers - very cool, not mentioned in sudo man page,
just in sudoers man page! Thanks, Bob.
------------------------------------------------------------
Since you apparently already have sudo, why not use that? Make an
entry in sudoers like:
username host= NOPASSWD: /usr/local/apache/apachectl
and then run the script as user "username".
------------------------------------------------------------
Thanks again...
--
Judith Reed
jreed_at_appliedtheory.com
(315) 453-2912 x5835
Received on Tue Jun 05 2001 - 20:23:39 NZST