I'm developing a PHP web application that, among other things, needs to allow the user to add, edit and delete Apache virtual host entries. (I'm Including a web-writable config file in my Apache2.conf). What is the best way to get Apache to restart or recognize these changes in the vhost file? The only way I see is to somehow escalate PHP to root privileges and call "apachectl graceful" when the file is updated, is there a better way? I'd prefer the changes to take effect immediately, instead of waiting for a crontab to execute….
PHP add virtual host dynamically
apache-2.2PHPphp5virtualhost
Related Topic
- Ubuntu – PHP is not executed on apache2
- Linux Web Server – Proper Permissions for Website Files and Folders
- How to get PHP running on Apache2 MPM Worker
- Nginx – How to set PHP include_path for php-fpm in nginx config
- Debian – PHP is not executing scripts after Debian upgrade
- Php – Apache 2 Fast CGI php issue
Best Answer
From a security perspective, one couldn't imagine many worse ideas. People go out of their way using chroot and other mechanisms to try and REMOVE privileges from the web server process/effective user. Regardless of whether or not you grant the web user escalated privileges, you are granting the web process the ability to define what is executable by what type of script in what directories by allowing it to rewrite the config file. Horrible, horrible idea.
I would suggest creating a set of very limited actions which the web server could take, perhaps writing name and home directories of the needed virtual hosts to a text file in the web root. Some other process with the required permissions could then check the syntax and turn it into the needed changes. Or send the commands directly over a TCP connection to a port on the same machine as described below.
To limit the privilege escalation to only taking this one action, you could write a TCP server listening on a special port to which the web service could send a restart message; I've written such special-purpose TCP servers (just a couple hundred lines of C, much of it available as a template) to allow an otherwise chroot isolated web server process access to some other service which would normally be unavailable without granting it carte blanch access to the file system and binaries.