Short answer:
Using visudo
, add the following to your sudoers file, replacing username with the proper username:
username ALL = /etc/init.d/apache2
If you want to not have to type in a password before you do this, use the following:
username ALL = NOPASSWD: /etc/init.d/apache2
After this, the 'username' user can execute sudo /etc/init.d/apache2 start
(or stop, restart,etc)
Long answer:
You'll likely want to setup a separate user for this if you haven't already, and then configure the /etc/sudoers file to allow a user or group to execute the command you want.
For example, to allow the user 'ben' to execute all commands as root prompting for a password, you would do the following:
ben ALL= ALL
To allow 'ben' to execute only one command (like say, rm
), you would do the following:
ben ALL= /bin/rm
If you are running a script as a user and don't want to prompt for a password, you'll want to use the 'NOPASSWD' option like so:
ben ALL=NOPASSWD: /bin/commandname options
You can do the same thing for groups by prefixing group names with a percentage sign, like so:
%supportstaff ALL= NOPASSWD: /bin/commandname
Update: The original question was for Windows Server 2008, but the solution is easier for Windows Server 2008 R2 and Windows Server 2012 (and Windows 7 and 8). You can add the user through the NTFS UI by typing it in directly. The name is in the format of IIS APPPOOL\{app pool name}. For example: IIS APPPOOL\DefaultAppPool.
IIS APPPOOL\{app pool name}
Note: Per comments below, there are two things to be aware of:
- Enter the string directly into the "Select User or Group" and not in the search field.
- In a domain environment you need to set the Location to your local computer first.
Reference to Microsoft Docs article: Application Pool Identities > Securing Resources
Original response: (for Windows Server 2008) This is a great feature, but as you mentioned it's not fully implemented yet. You can add the app pool identity from the command prompt with something like icacls, then you can manage it from the GUI. For example, run something like this from the command prompt:
icacls c:\inetpub\wwwroot /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)
Then, in Windows Explorer, go to the wwwroot folder and edit the security permissions. You will see what looks like a group (the group icon) called DefaultAppPool. You can now edit the permissions.
However, you don't need to use this at all. It's a bonus that you can use if you want. You can use the old way of creating a custom user per app pool and assigning the custom user to disk. That has full UI support.
This SID injection method is nice because it allows you to use a single user but fully isolate each site from each other without having to create unique users for each app pool. Pretty impressive, and it will be even better with UI support.
Note: If you are unable to find the application pool user, check to see if the Windows service called Application Host Helper Service is running. It's the service that maps application pool users to Windows accounts.
Best Answer
You can use the sc command to set permissions on a specific service.
The format is a little difficult to understand, but first you will need to find the user or group's SID to use the command (something like "S-1-5-21-....").
A couple notes on that command:
Replace myserver with your server's name and spooler with the service you want to edit.
More information is available at the following locations:
http://technet.microsoft.com/en-us/library/cc742037(WS.10).aspx
http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx