Monday, September 02, 2013

Running Apache/IHS on privileged ports (80, 443) as a non-root user: The 'sudo' way

Overview

For some out-of-this-world reason, your Unix administrator fears giving you the root access. But your web server (Apache or IBM HTTP Server) needs to bind to a privileged port e.g. 80, 443, and root privilege is needed. Using 'sudo', you can at least not bother your administrator to start/stop/restart anymore. He would either be happy that no one's calling to bug him anymore, or fear that someone like you has found a way to do something without his 'power'.

Steps below are for IBM HTTP Server (IHS) 8.5 running on AIX. Applicable for other versions & OSes with slight variations.

Assumptions


  • IHS location: /opt/IBM/HTTPServer
  • Using default httpd.conf @ /opt/IBM/HTTPServer/conf/httpd.conf
  • HTTP port to listen/bind: 80
  • User & group to delegate after startup: wasadmin:wasadmin
  • Logs folder & files: /opt/IBM/HTTPServer/logs - access_log and error_log
  • You have root access (for the time being)

Steps


1. 'Touch' the log files:

touch /opt/IBM/HTTPServer/logs/access_log
touch /opt/IBM/HTTPServer/logs/error_log

2. Make the following changes in httpd.conf (ensure user 'wasadmin' and group 'wasadmin' has been created already)

User wasadmin
Group wasadmin

3. Change ownership of IHS files:

chown -R wasadmin:wasadmin /opt/IBM/HTTPServer

4. Edit sudoers file (visudo), add the following line:

%wasadmin ALL = (root) NOPASSWD: /opt/IBM/HTTPServer/bin/apachectl *

This means any user in the 'wasadmin' group (prefixed with %) can control (start/stop) the IHS instance as root without needing to enter password. If you only want to allow the user 'wasadmin' to perform this, then remove the '%' to denote a user.

5. Ok, let's start IHS as user 'wasadmin'.

From root prompt:
sudo su - wasadmin

To check current user: id

Sample output:
uid=12(wasadmin) gid=203(wasadmin) groups=0(system)

Run as root without password:
sudo -u root /opt/IBM/HTTPServer/bin/apachectl start

To verify, fire up web browser and access the default webpage e.g. http://192.168.1.128 (port 80 is implied if not specified for HTTP).

Note: If you moved/deleted the log files, you need to touch them again using the non-root user as in Step #1 (e.g. wasadmin). Else the log files will be created with root ownership.

No comments: