I have a webhook script written in Python on my Debian/Apache2.4 server, so that it runs a deploy .sh script when pushing on GitHub. So, the script is executed by standard Apache user "www-data".
My script needs to restart or reload Apache, but the output says user doesn't have the permission to do so: Reloading apache2 configuration (via systemctl): apache2.serviceFailed to reload apache2.service: Access denied
.
Same behaviour when doing it manually as www-data (sudo -u www-data /etc/init.d/apache2 reload
).
So I tried to make "www-data" to have permissions to reload or restart Apache by adding the following line to my visudo : www-data ALL = NOPASSWD: /etc/init.d/apache2
(according to this doc).
But it doesn't change anything. Why? Is it because Apache can't reload itself?
How can I change the permissions to do so? Or do I need the script to be executed by another user, and how?
Best Answer
Since httpd binds to port 80 and 443, which are reserved, you need root privileges to restart them. That means that the user
www-data
does not have sufficient rights to do so.So what you need to do is to allow the user
www-data
to run this command as root. You do that by adding this line to your sudo config (or to a separate file in/etc/sudoers.d
, if your system uses that):Your
www-data
user will now be able to run this single command as root. You'll need to edit your script so that it containsinstead of just
It is possible that your system is configured to require a tty when using sudo. This is often done specifically to prevent scripts using sudo, since that is an attack vector. If that is the case, your sudoers file needs to be slightly more complex:
This means that only the command
/etc/init.d/apache2 reload
can be run without a tty being required.