Pls bear in mind that I am a Linux newbie so if this is a really stupid question I apologize in advance......

we are running Apache servers, rather IBMs bastarized version of it, installed under /opt/IBMHIHS/ Subdirectories underneath here are where the httpd.conf file and the other configs are located. Apache was installed as root (not by me), thus all files are owned by root with 754 perms (rwxr-xr--).

We have need of another user who we do not want to have root access to the box to be able to update the Apache configs in addition to some of the web content located underneath. With the above perms noted would we have to allow "other" to have rwx permissions (757) for this non-root user to write to these files? That seems dangerous and frankly rather silly. Is there a way to overcome the lack of an ACL within Linux? Not sure how perms should really work in instances like this.

Other question, this user may need to restart Apache (/opt/IBMHIHS/bin/apachectl). If what I've read is correct since Apache grabs port 80 to start it is considered priviledged since it is < 1024 therefore root need to start this process. Is this also correct? Is there a way to circumvent this?

Thanks in advance for any help

Acces to apachectl is pretty easy. You need to investigate using sudo, which allows you to give specific users the ability to run specific commands with root privileges. They authenticate using their own password and never need to know roots.


For the configuration files, instead of using 757, I would use chown to move the file to a different group. I'm assuming that these files are owned by root user and root group. You could either create a new group (or maybe use an existing one) and then chown just the config files to that group. So say you create a web group, the config files could be owned by root user and web group. Then add the user to the web group and use 774 as the permissions.

Acces to apachectl is pretty easy. You need to investigate using sudo

To add to that, especially if running sudo as root user, I would run it a little more elaborate that just "vim httpd.conf": use a wrapper against vi running a shell (Freshmeat/Google: "noexec"). Another way to strenghten it would be running a wrapper around the edit thing. What it would need to do is make a backup copy (cvs, rcs?) of the conf, serve only the part that user is allowed to edit (echo \$-max,\$-min p | ed -s file), merge back and after the edit do some ownage and syntax checking (apachectl) before committing. Admittedly the wrapper thing may a bit harder to do (but not if you're moderately good at scripting), maybe another option is to set up an include and only allow that user to edit that include. That way you can, to some extent, guarantee the integrity of the conf.


Other question, this user may need to restart Apache (/opt/IBMHIHS/bin/apachectl). If what I've read is correct since Apache grabs port 80 to start it is considered priviledged since it is < 1024 therefore root need to start this process. Is this also correct? Is there a way to circumvent this?

I can't think of a workaround unless you would let it run on a port above 1024 and use iptables to redirect traffic from port TCP/80 to that port, but I can't see what that would break except network stuff like QoS routing and prolly IDS. From a security POV running on a port above 1024 is in fact the opposite of trust, since then anyone can start and muck around with the httpd.