allow Apache to send SIGHUP to root process
 

I have been tasked with sending a kill -s SIGHUP (a reload) to a Daemon process owned by root running on a centOS 5.4 machine.

Obviously, Apache cannot normally do this, so I'm going to have to use the sudoers file.

My problem is, how do I allow the Apache user to only run the kill command? nothing else.

in testing, I've gotten Apache to basically run every command prefixed with sudo and no password prompting. But I want the added security to only run the kill command without the password being prompted everything else should prompt for a password.

I'm trying to understand the sudoers file, and i must say, its non-trivial.

is there a simple 1 line I can put in the sudoers file like

There's nothing wrong with that line AFAICS... what other commands do you need the apache user to run ? ( as another user )

This is a wee bit scary. Can you explain precisely the problem you're trying to solve?

---

Off the top of my head, I believe your sudoer entry would be:
But I could be wrong. Double check the manpages for sudoers(5), and of course you'll need to test.

All that said, what you're doing here is a bad idea. Even if your situation absolutely requires apache to kill/SIGHUP a process, you will want to do something like:

Next, # chown root /usr/local/bin/killer.sh ; chmod 700 /usr/local/bin/killer.sh

Then your sudoer entry will look more like:

This helps eliminate some of the ways to abuse the power you're granting.

<delete.. replied to wrong post>

first thank you both for the responses.

@kbp: you are correct there was nothing wrong with that line. I appeared to have fat-fingered the sudoers file.

@anomie:
Sure, I'll go into further detail.

my company is using a multi-threaded PHP Daemon
( project page if you're interested http://code.google.com/p/phpmultithreadeddaemon/ ) to monitor a directory and parse files.

There are certain times when we get more files than usual. So, I was asked to create a general web interface where anyone from within the server team could go in and increase/decrease the number of processes being spawned.

after the person changes the number of threads, and clicks the save button, the Daemon needs to be notified of the changes, which is only possible via a SIGHUP (the multi-threaded daemon application is already coded to handle SIGHUPs).

I must say, however, creating a script and giving Apache permission to only run that script is a much preferred way instead of giving Apache the kill command.

when the daemon starts, it writes its process ID to /var/run/pmtd.pid so I think instead of using pkill I'd just cat the PID from the file written to at start up.

I greatly appreciate the help. And thank you for explaining in detail what you were doing each step.

I have been using Linux for years now and I must say, I learn something new every day.

I noticed you ended the script with exit 0; why is that? Does that have an added benefit as opposed to just letting the script run the kill command?

if you have any other questions, please feel free to ask.

That all makes sense. Given the requirements, I don't have a substantially better solution than what you've put together...

The exit 0 is really just a formality in this case. It sticks to a convention where a script or program explicitly sets a return code to demonstrate that it finished "OK".

There's a quick writeup on exit here:
Advanced Bash-Scripting Guide: Chapter 6. Exit and Exit Status

Your daemon can every X second check time-stamp of the config file written by web interface.
This way you don't sudo to send daemon SIGHUP