On 26 November 2010 21:43, Dominic Cleal <dominic@???> wrote:
> On 26/11/10 21:04, Vic wrote:
>
> I'd strongly recommend using sudo, it isn't daft. It's really easy to
> configure, it gives you auditing via syslog and should run the command
> in a secure environment out of the box.
>
> Add a line to the bottom of /etc/sudoers similar to:
>
> www-data ALL = (root) NOPASSWD: /usr/sbin/apachectl graceful
>
> The www-data user will be able to only run the single command with the
> exact set of arguments given. Then just run "sudo apachectl graceful"
> from your script.
>
I would use this option also.
It is what sudoers was designed for.
sudo has the setuid bit set, so that it can do its job.
The advantage of using sudo is that it has been around for a long
time, so vulnerabilities in it have mostly been already dealt with.
But there should be a way to do this without having to be root.
All you have to do is send the apache process the SIGUSR1, and that
should not need root access.
kill -SIGUSR1 3443 (where 3443 is the PID of the Apache process)
So long as the user running the kill command is the same as the apache
process itself.
Just look in the apachectl scripts to find out where it gets the PID form.
