On Nov 8, 2007 3:50 PM, Axel-Stephane SMORGRAV <[EMAIL PROTECTED]> wrote: > -----Message d'origine----- > De : Krist van Besien [mailto:[EMAIL PROTECTED] > Envoyé : jeudi 8 novembre 2007 15:14 > À : users@httpd.apache.org > Objet : Re: [EMAIL PROTECTED] apache as non-root > > > You could use a wrapper script (as I do) that the user can't change. > > You could, but AFAICS the only point of using a wrapper over using sudo would > be to hard code the -f parameter... In that case you would also need to > prevent the user to change the configuration. What would be the point of that?
The point is that somebody not root can start/stop apache. In our setup I have a wrapper script that can start the server in two modes: A "maintenance mode" where a "server is down, please come back later" message is displayed to whoever visits the site, and a normal mode. This is done by passing a different value for the -f option to httpd when started. These values (two alternative configs basically) are hard coded in a script that only root can modify. This way a user with less privileges than root can switch the site to maintenance mode before taking the tomcat application server down. > I have opted for sudo. Designated Apache administrators are allowed to > start/stop/create as many instances of Apache they want to with the > configurations of their choice. They are entrusted with that privilege. > Bottom line. Indeed, but in your case you have given the designated administrators everything they need to become root. I hope you can trust them enough not to try this. Krist -- [EMAIL PROTECTED] [EMAIL PROTECTED] Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
