Cron – apache-user & root access

apache-2.2cronphp5root

I want to develop few scripts in php that will invoke following commands; using exec() function

service network restart

crontab -u root /xyz/abc/fjs/crontab

etc.

The issue is that Apache executes script as apache user (I am on CentOS 5), regardless of adding apache into wheel or doing good, the bad and the ugly group assignment does not run commands (as mentioned above).

Following are my configurations;

My /etc/sudoers

root    ALL=(ALL)       ALL
apache  ALL=(ALL)       NOPASSWD: ALL
%wheel  ALL=(ALL)       ALL
%wheel  ALL=(ALL)       NOPASSWD: ALL

As I've tried couple of combination with sudoer & httpd.conf, the recent httpd.conf look something as follows;

my httpd.conf

User apache
Group wheel

my PHP script

exec("service network start", $a);
print_r($a);

exec("sudo -u root service network start", $a);
print_r($a);

Output

Array
(
    [0] => Bringing up loopback interface:  [FAILED]
    [1] => Bringing up interface eth0:  [FAILED]
    [2] => Bringing up interface eth0_1:  [FAILED]
    [3] => Bringing up interface eth1:  [FAILED]
)
Array
(
    [0] => Bringing up loopback interface:  [FAILED]
    [1] => Bringing up interface eth0:  [FAILED]
    [2] => Bringing up interface eth0_1:  [FAILED]
    [3] => Bringing up interface eth1:  [FAILED]
)

Without any surprise, when I invoke restart network services via ssh, using similar user like apache, the command successfully executes. Its all about accessing such commands via HTTP Protocol. I am sure cPanel/Plesk kind of software do use something like sudoer or something and what I am trying to do is basically possible. But I need your help to understand which piece I am missing?

Thanks a lot!

Best Answer

If you take troyengel's solution of throwing an entry in the root cron table, then modify it a little, you might have a workable solution.

If you absolutely, positively need to use apache to signal an interface restart, why not have PHP create a file that acts as a flag, and then have your root cronjob that runs every minute (or whatever) check for the existence of that flag. If it exists, restart the interfaces. If it doesn't, die. (remember to have the cronjob remove the flag after it successfully restarts the interface).

This accomplishes the goal (restarting the interface, triggered from apache/php) and circumsteps all of the possible problems involved with granting a web / scripting service root level access.

Related Solutions

Finding out what user Apache is running as

ps aux | egrep '(apache|httpd)' typically will show what apache is running as.

Usually you do not need to change the default user, "nobody" or "apache" are typically fine users. As long as its not "root" ;)

edit: more accurate command for catching apache binaries too

Centos – The A to Z of setting up a Linux box for secure local hosting

This guide has a lot of answers about using SSL with Apache, tells you how to create a self-signed certificate, how to get a proper certificate from a recognized certificate authority (CA) and how to create your own, untrusted CA to create a full certificate. http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html

As for virtual hosts and SSL, each host will need its own IP address or a dirtier solution is to host them on different ports, than the standard :443 due to the nature of SSL certificates, name-based virtual hosting does not get along with SSL; which is why you need another method to differentiate; differing ports/IPs.

Setting up SSH is pretty easy, it should be running on your server, already. You will want to do a number of things to lock it down.

PermitRootLogin no
AllowGroups admins
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no

It can be added to your /etc/ssh/sshd_config to restrict remote root access, and remove password authentication, instead using public/private keypairs to log in.

To create your SSH keypair, you can use puttygen in Windows; http://putty.very.rulez.org/download.html or you can create the keypair in a Linux environment like so: ssh-keygen -b 2048 -t RSA -f my_keypair. This will create a my_keypair file and a my_keypair.pub file (only named for this example, I might suggest naming for your username or leaving off -f, and letting it generate ~/.ssh/id_rsa).

Securely transfer my_keypair to your workstation, for future SSH access, this is the private key, you should not share it with anyone. Then, on the server, create $HOME/.ssh if it does not already exist, mkdir ~/.ssh, then copy the public key (my_keypair.pub) to ~/.ssh/, if you already have authorized_keys in ~/.ssh because you've done this for other things, you can do cat my_keypair.pub >> authorized_keys to append your public key, or cp my_keypair.pub authorized_keys if it doesn't exist.

Now run chmod 700 ~/.ssh and chmod 644 ~/.ssh/my_keypair.pub ~/.ssh/authorized_keys to set permissions. You can keep a copy of my_keypair in ~/.ssh/ for use when connecting to other hosts, but you should do chmod 600 ~/.ssh/my_keypair to make sure no one else can access it.

You will want to add a normal user account for yourself, and add yourself to a group other than users, like admins in my example.

You will probably also want to add your user or group to /etc/sudoers to enable sudo usage, if you haven't already. This is accomplished with the command visudo which is the only way you should edit this file. visudo runs error and syntax checking on your configuration before writing it out, preventing loss of sudo usage.

username ALL=(ALL) ALL

added to /etc/sudoers will allow username to run sudo yum install blah and will prompt you for your own password. This is handy in the event you have other administrators or temporary administrators, you don't need to share the root password.

Best Answer

Related Solutions

Finding out what user Apache is running as

Centos – The A to Z of setting up a Linux box for secure local hosting

Related Topic