Need to give a non-privileged user permission to execute apachectl script
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I want that a regular user to be able to execute apachectl in the system. And that would be the only thing that they can do outside of it normal permissions. What I did is to add this line at the bottom of the sudoers file:
sampleuser ALL=(root) NOEXEC:/usr/sbin/apachectl
So, as the user sampleuser, I executed apachectl
command, and I get this error:
$ sudo apachectl stop
[sudo] password for sampleuser:
/usr/sbin/apachectl: line 105: /usr/sbin/httpd: Permission denied
Now it seems like the permission is with the /usr/sbin/httpd command since apachectl
script calls that executable file. So I added another line to the sudoers file:
sampleuser ALL=(root) NOEXEC:/usr/sbin/httpd
Now I executed the same command and I get the same error:
sudo apachectl start
[sudo] password for sampleuser:
/usr/sbin/apachectl: line 105: /usr/sbin/httpd: Permission denied
My question now, is that if there's a fix for this without having to edit the apachectl script file or another method that probably is easier than what I'm trying to do.
Thank you.
sudo apache-httpd
add a comment |Â
up vote
0
down vote
favorite
I want that a regular user to be able to execute apachectl in the system. And that would be the only thing that they can do outside of it normal permissions. What I did is to add this line at the bottom of the sudoers file:
sampleuser ALL=(root) NOEXEC:/usr/sbin/apachectl
So, as the user sampleuser, I executed apachectl
command, and I get this error:
$ sudo apachectl stop
[sudo] password for sampleuser:
/usr/sbin/apachectl: line 105: /usr/sbin/httpd: Permission denied
Now it seems like the permission is with the /usr/sbin/httpd command since apachectl
script calls that executable file. So I added another line to the sudoers file:
sampleuser ALL=(root) NOEXEC:/usr/sbin/httpd
Now I executed the same command and I get the same error:
sudo apachectl start
[sudo] password for sampleuser:
/usr/sbin/apachectl: line 105: /usr/sbin/httpd: Permission denied
My question now, is that if there's a fix for this without having to edit the apachectl script file or another method that probably is easier than what I'm trying to do.
Thank you.
sudo apache-httpd
If I was to hazard a guess, itâÂÂs be that selinux doesnâÂÂt like a domain transition in there.
â Jeff Schaller
May 2 at 19:55
@JeffSchaller But selinux is not active.getenforce Disabled
â VaTo
May 2 at 20:02
Doesls -l /usr/sbin/httpd
show root ownership and execute bits?
â Jeff Schaller
May 2 at 20:06
@JeffSchaller Yes-rwxr-xr-x 1 root root 545024 Sep 24 2017 /usr/sbin/httpd*
â VaTo
May 2 at 20:08
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I want that a regular user to be able to execute apachectl in the system. And that would be the only thing that they can do outside of it normal permissions. What I did is to add this line at the bottom of the sudoers file:
sampleuser ALL=(root) NOEXEC:/usr/sbin/apachectl
So, as the user sampleuser, I executed apachectl
command, and I get this error:
$ sudo apachectl stop
[sudo] password for sampleuser:
/usr/sbin/apachectl: line 105: /usr/sbin/httpd: Permission denied
Now it seems like the permission is with the /usr/sbin/httpd command since apachectl
script calls that executable file. So I added another line to the sudoers file:
sampleuser ALL=(root) NOEXEC:/usr/sbin/httpd
Now I executed the same command and I get the same error:
sudo apachectl start
[sudo] password for sampleuser:
/usr/sbin/apachectl: line 105: /usr/sbin/httpd: Permission denied
My question now, is that if there's a fix for this without having to edit the apachectl script file or another method that probably is easier than what I'm trying to do.
Thank you.
sudo apache-httpd
I want that a regular user to be able to execute apachectl in the system. And that would be the only thing that they can do outside of it normal permissions. What I did is to add this line at the bottom of the sudoers file:
sampleuser ALL=(root) NOEXEC:/usr/sbin/apachectl
So, as the user sampleuser, I executed apachectl
command, and I get this error:
$ sudo apachectl stop
[sudo] password for sampleuser:
/usr/sbin/apachectl: line 105: /usr/sbin/httpd: Permission denied
Now it seems like the permission is with the /usr/sbin/httpd command since apachectl
script calls that executable file. So I added another line to the sudoers file:
sampleuser ALL=(root) NOEXEC:/usr/sbin/httpd
Now I executed the same command and I get the same error:
sudo apachectl start
[sudo] password for sampleuser:
/usr/sbin/apachectl: line 105: /usr/sbin/httpd: Permission denied
My question now, is that if there's a fix for this without having to edit the apachectl script file or another method that probably is easier than what I'm trying to do.
Thank you.
sudo apache-httpd
edited May 2 at 22:40
Filipe Brandenburger
3,451621
3,451621
asked May 2 at 19:43
VaTo
1,8021632
1,8021632
If I was to hazard a guess, itâÂÂs be that selinux doesnâÂÂt like a domain transition in there.
â Jeff Schaller
May 2 at 19:55
@JeffSchaller But selinux is not active.getenforce Disabled
â VaTo
May 2 at 20:02
Doesls -l /usr/sbin/httpd
show root ownership and execute bits?
â Jeff Schaller
May 2 at 20:06
@JeffSchaller Yes-rwxr-xr-x 1 root root 545024 Sep 24 2017 /usr/sbin/httpd*
â VaTo
May 2 at 20:08
add a comment |Â
If I was to hazard a guess, itâÂÂs be that selinux doesnâÂÂt like a domain transition in there.
â Jeff Schaller
May 2 at 19:55
@JeffSchaller But selinux is not active.getenforce Disabled
â VaTo
May 2 at 20:02
Doesls -l /usr/sbin/httpd
show root ownership and execute bits?
â Jeff Schaller
May 2 at 20:06
@JeffSchaller Yes-rwxr-xr-x 1 root root 545024 Sep 24 2017 /usr/sbin/httpd*
â VaTo
May 2 at 20:08
If I was to hazard a guess, itâÂÂs be that selinux doesnâÂÂt like a domain transition in there.
â Jeff Schaller
May 2 at 19:55
If I was to hazard a guess, itâÂÂs be that selinux doesnâÂÂt like a domain transition in there.
â Jeff Schaller
May 2 at 19:55
@JeffSchaller But selinux is not active.
getenforce Disabled
â VaTo
May 2 at 20:02
@JeffSchaller But selinux is not active.
getenforce Disabled
â VaTo
May 2 at 20:02
Does
ls -l /usr/sbin/httpd
show root ownership and execute bits?â Jeff Schaller
May 2 at 20:06
Does
ls -l /usr/sbin/httpd
show root ownership and execute bits?â Jeff Schaller
May 2 at 20:06
@JeffSchaller Yes
-rwxr-xr-x 1 root root 545024 Sep 24 2017 /usr/sbin/httpd*
â VaTo
May 2 at 20:08
@JeffSchaller Yes
-rwxr-xr-x 1 root root 545024 Sep 24 2017 /usr/sbin/httpd*
â VaTo
May 2 at 20:08
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
Apachectl does not know that it needs to use sudo to execute httpd
Try something like this:
APACHE_HTTPD='sudo -E /usr/sbin/httpd' sudo -E /usr/sbin/apachectl start
-E, --preserve-env
Indicates to the security policy that the user wishes to reserve their
existing environment variables. The security policy may eturn an error
if the user does not have permission to preserve the environment.
So you will force apache2ctl to use a different command to call httpd...
I get this error:sudo: sorry, you are not allowed to set the following environment variables: APACHE_HTTPD
â VaTo
May 2 at 20:04
Apachectl stop
is already running under sudo though...
â Jeff Schaller
May 2 at 20:05
Yes, but it is just a script, when the script tries to call the subprocess httpd, the sudo will block it? I am not sure...
â Luciano Andress Martini
May 2 at 20:06
Is it perhaps possible to give the user access to that env variable?
â VaTo
May 2 at 20:07
Amazon Linux AMI release 2017.09
I think that's based on fedoraID_LIKE="rhel fedora"
â VaTo
May 2 at 20:09
 |Â
show 5 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Apachectl does not know that it needs to use sudo to execute httpd
Try something like this:
APACHE_HTTPD='sudo -E /usr/sbin/httpd' sudo -E /usr/sbin/apachectl start
-E, --preserve-env
Indicates to the security policy that the user wishes to reserve their
existing environment variables. The security policy may eturn an error
if the user does not have permission to preserve the environment.
So you will force apache2ctl to use a different command to call httpd...
I get this error:sudo: sorry, you are not allowed to set the following environment variables: APACHE_HTTPD
â VaTo
May 2 at 20:04
Apachectl stop
is already running under sudo though...
â Jeff Schaller
May 2 at 20:05
Yes, but it is just a script, when the script tries to call the subprocess httpd, the sudo will block it? I am not sure...
â Luciano Andress Martini
May 2 at 20:06
Is it perhaps possible to give the user access to that env variable?
â VaTo
May 2 at 20:07
Amazon Linux AMI release 2017.09
I think that's based on fedoraID_LIKE="rhel fedora"
â VaTo
May 2 at 20:09
 |Â
show 5 more comments
up vote
0
down vote
Apachectl does not know that it needs to use sudo to execute httpd
Try something like this:
APACHE_HTTPD='sudo -E /usr/sbin/httpd' sudo -E /usr/sbin/apachectl start
-E, --preserve-env
Indicates to the security policy that the user wishes to reserve their
existing environment variables. The security policy may eturn an error
if the user does not have permission to preserve the environment.
So you will force apache2ctl to use a different command to call httpd...
I get this error:sudo: sorry, you are not allowed to set the following environment variables: APACHE_HTTPD
â VaTo
May 2 at 20:04
Apachectl stop
is already running under sudo though...
â Jeff Schaller
May 2 at 20:05
Yes, but it is just a script, when the script tries to call the subprocess httpd, the sudo will block it? I am not sure...
â Luciano Andress Martini
May 2 at 20:06
Is it perhaps possible to give the user access to that env variable?
â VaTo
May 2 at 20:07
Amazon Linux AMI release 2017.09
I think that's based on fedoraID_LIKE="rhel fedora"
â VaTo
May 2 at 20:09
 |Â
show 5 more comments
up vote
0
down vote
up vote
0
down vote
Apachectl does not know that it needs to use sudo to execute httpd
Try something like this:
APACHE_HTTPD='sudo -E /usr/sbin/httpd' sudo -E /usr/sbin/apachectl start
-E, --preserve-env
Indicates to the security policy that the user wishes to reserve their
existing environment variables. The security policy may eturn an error
if the user does not have permission to preserve the environment.
So you will force apache2ctl to use a different command to call httpd...
Apachectl does not know that it needs to use sudo to execute httpd
Try something like this:
APACHE_HTTPD='sudo -E /usr/sbin/httpd' sudo -E /usr/sbin/apachectl start
-E, --preserve-env
Indicates to the security policy that the user wishes to reserve their
existing environment variables. The security policy may eturn an error
if the user does not have permission to preserve the environment.
So you will force apache2ctl to use a different command to call httpd...
edited May 2 at 20:16
answered May 2 at 20:03
Luciano Andress Martini
2,628725
2,628725
I get this error:sudo: sorry, you are not allowed to set the following environment variables: APACHE_HTTPD
â VaTo
May 2 at 20:04
Apachectl stop
is already running under sudo though...
â Jeff Schaller
May 2 at 20:05
Yes, but it is just a script, when the script tries to call the subprocess httpd, the sudo will block it? I am not sure...
â Luciano Andress Martini
May 2 at 20:06
Is it perhaps possible to give the user access to that env variable?
â VaTo
May 2 at 20:07
Amazon Linux AMI release 2017.09
I think that's based on fedoraID_LIKE="rhel fedora"
â VaTo
May 2 at 20:09
 |Â
show 5 more comments
I get this error:sudo: sorry, you are not allowed to set the following environment variables: APACHE_HTTPD
â VaTo
May 2 at 20:04
Apachectl stop
is already running under sudo though...
â Jeff Schaller
May 2 at 20:05
Yes, but it is just a script, when the script tries to call the subprocess httpd, the sudo will block it? I am not sure...
â Luciano Andress Martini
May 2 at 20:06
Is it perhaps possible to give the user access to that env variable?
â VaTo
May 2 at 20:07
Amazon Linux AMI release 2017.09
I think that's based on fedoraID_LIKE="rhel fedora"
â VaTo
May 2 at 20:09
I get this error:
sudo: sorry, you are not allowed to set the following environment variables: APACHE_HTTPD
â VaTo
May 2 at 20:04
I get this error:
sudo: sorry, you are not allowed to set the following environment variables: APACHE_HTTPD
â VaTo
May 2 at 20:04
Apachectl stop
is already running under sudo though...â Jeff Schaller
May 2 at 20:05
Apachectl stop
is already running under sudo though...â Jeff Schaller
May 2 at 20:05
Yes, but it is just a script, when the script tries to call the subprocess httpd, the sudo will block it? I am not sure...
â Luciano Andress Martini
May 2 at 20:06
Yes, but it is just a script, when the script tries to call the subprocess httpd, the sudo will block it? I am not sure...
â Luciano Andress Martini
May 2 at 20:06
Is it perhaps possible to give the user access to that env variable?
â VaTo
May 2 at 20:07
Is it perhaps possible to give the user access to that env variable?
â VaTo
May 2 at 20:07
Amazon Linux AMI release 2017.09
I think that's based on fedora ID_LIKE="rhel fedora"
â VaTo
May 2 at 20:09
Amazon Linux AMI release 2017.09
I think that's based on fedora ID_LIKE="rhel fedora"
â VaTo
May 2 at 20:09
 |Â
show 5 more comments
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f441394%2fneed-to-give-a-non-privileged-user-permission-to-execute-apachectl-script%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
If I was to hazard a guess, itâÂÂs be that selinux doesnâÂÂt like a domain transition in there.
â Jeff Schaller
May 2 at 19:55
@JeffSchaller But selinux is not active.
getenforce Disabled
â VaTo
May 2 at 20:02
Does
ls -l /usr/sbin/httpd
show root ownership and execute bits?â Jeff Schaller
May 2 at 20:06
@JeffSchaller Yes
-rwxr-xr-x 1 root root 545024 Sep 24 2017 /usr/sbin/httpd*
â VaTo
May 2 at 20:08