LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 12-16-2008, 05:10 PM   #1
lexthoonen
LQ Newbie
 
Registered: Jan 2007
Posts: 19

Rep: Reputation: 0
Question how to make it possible for a non root user to restart the webserver


Hi, I don't know a lot about linux, so I have to ask this, probably dumb, question:

I got an ubuntu server - with isp config - running a few websites. Now, for some reason, the server keeps hanging. I've had people looking at it, and none sofa knows what the source of the problem(s) is.

Until that's solved, I'd like a person, not me, to be able to restart the web service. I have to do it quite a few times on busy days, and i either do it via putty or via isp config. In the latter, I log in as admin and via putty I log in as root.

Is there a way, for example, via a .sh script or so, that someone else might restart the web service? Someone, without root priviliges?

Or can I make a new user and give that permission somehow, and preferrably give him/her access without having to use putty?

Thanks!
 
Old 12-16-2008, 05:32 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,138

Rep: Reputation: 166Reputation: 166
I'd create another account and edit /etc/sudoers with visudo to only give that account sudo access to the web server startup script. This would require putty though as the user would need a shell to run the script.

As far as web based stuff goes, I haven't used anything like that for a while. Webmin is supposed to support Ubuntu and can control an Apache server so you may be able to use it.
 
Old 12-16-2008, 07:57 PM   #3
lexthoonen
LQ Newbie
 
Registered: Jan 2007
Posts: 19

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by gilead View Post
I'd create another account and edit /etc/sudoers with visudo to only give that account sudo access to the web server startup script.
First of all, thanks for your answer!
I know I'm asking quite a lot, but could you explain the steps you're referring to above a bit more in details as for dummies?

Thanks!
 
Old 12-16-2008, 08:28 PM   #4
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
You should indicate which part you don't understand. Read the /etc/sudoers file. It is well commented.
The lines that begin with an octothorpe symbol (#) are comments as you probably know. Also, the visudo command on the server is what you use to edit the /etc/sudoers file. It will perform error detection and if you made a mistake editing the file, it will let you know and give you a menu option to continue editing.

Look at the example of giving members of the wheel group permission to use sudo. (note: Ubuntu uses the admin group instead) To use this line, remove the "# " from the beginning of the line. This however will allow any user to issue a root command. On some distros the user will need to know the root password. On others the users own password will be asked for. If the latter is the case, comment out the "targetpw" entry.

Look at the example which gives users permission to mount a cdrom. You could use this line as a model and create a similar line the restarts the web server service instead.

Another option is to use ssh to issue the service restart command. After the username and host, you can add the command that you want run on the server. Only this command will be run, and the user issuing the command will not be operating in a shell. This can prevent errors and abuse.
example:
ssh username@host sudo service httpd restart
After authenticating, the single command is run.

It would be easiest if your remote client were a linux machine. An alternative is to install "Cygwin", which will give you a bash shell and commands such as ssh, instead of stumbling along with putty. If you install Cygwin/X, you could even edit the config files in gedit or another graphical text editor that is installed on the server (provided X forwarding is enabled in your sshd_config file)

By the way, logging into the server as root is a bad idea. Especially if you use name/password authentication. This leaves the server open to brute force attacks from script kiddies. Unless you need a cron job to connect to the server automatically, you should log in as a regular user and the su to root or use sudo to execute administrative commands.
Even then you should look into setting up public key authentication. If you don't need automated ssh connections, then give the private key a strong pass phrase. This will require entering the passphrase to unlock the private key on the client.

Configuring Public Key Authentication
You will need to edit /etc/ssh/sshd_config on the server to disable root logins, password authentication and enable public key authentication. Also first you need to copy your clients public key to the authorized_keys file on the server. Read through the /etc/ssh/sshd_config file. Look at the line for "UsePAM". The paragraph of instructions above this line give instructions on how to configure public key authentication. If you still use putty on the client, you can use puttys keygen program to generate a public/private key pair. Load in the key and it will display the openssh public key. Highlight the openssh public key and paste it into the server's authorized_keys file.

It would also be worthwile reading through the manpages for ssh, sshd_config and ssh_config.

If your websites run on LAMP servers, be sure you check that the root user has a password and that the demo database that allows guest access is dropped. Since the server allows root ssh access, the MySQL server may not be hardened either. Downloading the MySQL manual from their website would be a good idea. It has a section on other security issues, such as making sure your scripts wrap user input inside single quotes to prevent sql injection.

IMHO, anyone running a number of Linux servers should also at least run linux at home to learn more about it.

Last edited by jschiwal; 12-16-2008 at 08:41 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Make a root user for Ubuntu dbcoder Linux - Software 17 02-14-2005 02:10 PM
how do I make sure that the user that is going to run the script is a root user??? nikold01 Linux - General 3 09-10-2004 08:54 AM
How do you make the user have root capabilities??? chutsu Linux - General 2 09-05-2004 12:30 PM
How do I make a user equal to root ? joncolby Mandriva 3 02-27-2004 03:54 PM
Need To Make a User for myself, besides Root Scarface Linux - Newbie 2 10-26-2003 06:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration