Thursday, May 15, 2008

Sudo access for apache user

Web-based admin interfaces, like a network management web console, often require to execute certain commands with elevated previleges. Adding an entry in the sudoers file is one straight forward way to do this.


The apache user on debian is 'www-data' and on fedora it is 'apache'. Let apache_user denote the web server user, irrespective of the distro.


In /etc/sudoers, we need to add:
%apache_user ALL=NOPASSWD: ALL


This seems very naive from security perspective.Apache has a feature suEXEC for such purposes. But -

  • It does not support if the target user is root (work around – let the target user be userx, such that userx is configured to have admin previleges)
  • It requries re-compiling the apache server, and a very careful and complex configuration. Not really suitable for people who use off-the-shelf apache, with default configurations, like me :)

We can modify the line in 'sudoers' file to enhance security a little bit. Instead of sudo access to all commands, we can restrict the sudo access for very few number of commands.


%apache_user ALL=NOPASSWD: /bin/ls, /bin/cat


In my project – php based wireless-mesh network management suite – I've used this :-


%apache_user ALL=NOPASSWD: /usr/bin/php -f /path/to/my/script/daemon.php *


where, daemon.php handles all the tasks requiring admin previleges. The '*' at the end of the line is used to pass command line arguments to the daemon. This type of usage of the sudoers file gives enough security for most practical purposes. After all, I'm not managing a bank here!


Links: Useful thread on apache forum


No comments: