Overview
For some out-of-this-world reason, your Unix administrator fears giving you the root access. But your web server (Apache or IBM HTTP Server) needs to bind to a privileged port e.g. 80, 443, and root privilege is needed. Using 'sudo', you can at least not bother your administrator to start/stop/restart anymore. He would either be happy that no one's calling to bug him anymore, or fear that someone like you has found a way to do something without his 'power'.Steps below are for IBM HTTP Server (IHS) 8.5 running on AIX. Applicable for other versions & OSes with slight variations.
Assumptions
- IHS location: /opt/IBM/HTTPServer
- Using default httpd.conf @ /opt/IBM/HTTPServer/conf/httpd.conf
- HTTP port to listen/bind: 80
- User & group to delegate after startup: wasadmin:wasadmin
- Logs folder & files: /opt/IBM/HTTPServer/logs - access_log and error_log
- You have root access (for the time being)
Steps
1. 'Touch' the log files:
touch /opt/IBM/HTTPServer/logs/access_log
touch /opt/IBM/HTTPServer/logs/error_log
2. Make the following changes in httpd.conf (ensure user 'wasadmin' and group 'wasadmin' has been created already)
User wasadmin
Group wasadmin
3. Change ownership of IHS files:
chown -R wasadmin:wasadmin /opt/IBM/HTTPServer
4. Edit sudoers file (visudo), add the following line:
%wasadmin ALL = (root) NOPASSWD: /opt/IBM/HTTPServer/bin/apachectl *
This means any user in the 'wasadmin' group (prefixed with %) can control (start/stop) the IHS instance as root without needing to enter password. If you only want to allow the user 'wasadmin' to perform this, then remove the '%' to denote a user.
5. Ok, let's start IHS as user 'wasadmin'.
From root prompt:
sudo su - wasadmin
To check current user: id
Sample output:
uid=12(wasadmin) gid=203(wasadmin) groups=0(system)
Run as root without password:
sudo -u root /opt/IBM/HTTPServer/bin/apachectl start
To verify, fire up web browser and access the default webpage e.g. http://192.168.1.128 (port 80 is implied if not specified for HTTP).
Note: If you moved/deleted the log files, you need to touch them again using the non-root user as in Step #1 (e.g. wasadmin). Else the log files will be created with root ownership.
No comments:
Post a Comment