We help IT Professionals succeed at work.

How can I sudo apache acount

bxglxbxglx2000
bxglxbxglx2000 asked
on
For some reason, I need to run script under apache right (like right on http://myserver/phpscript )
How can I sudo apache right?

Comment
Watch Question

Commented:
Is this a script you will run on a regular basis?  You could put it into the apache user cron.
Commented:
otherwise,
sudo -u apache <cmd to execute>
But you will need the correct entry in the /etc/sudoers file to allow your current user sudo access.
Top Expert 2007
Commented:
please see below link for sudo

http://www.gratisoft.us/sudo/man/sudoers.html

if you want to run script as apache user from root then

su apache -c csciptname

here you don't need password

Author

Commented:
But I see error:
[root@sv3 ~]# su apache -c csciptname
This account is currently not available.
[root@sv3 ~]#


Top Expert 2007
Commented:
please put the actual apache user name
Top Expert 2010

Commented:
May help, the following command should show which user-id Apache is running as:

ps -ef | grep http

Author

Commented:
@omarfarid:
apache is user of web server apache
Now I add an user, by useradd command?
Top Expert 2007

Commented:
but the previous post showed that this user is not there! are you using root to start / stop apache processes? which user owns the apache files?

Author

Commented:
yes, I user root to star/stop process!

Author

Commented:
If I need create apache user?

Author

Commented:
If I need create apache user?
Top Expert 2007

Commented:
see, since you use to start apache with root, you may use sudo (see link provided on how to use it).

But can you tell what you want to run with apache?

Author

Commented:
I run some script to delete tmp file gen by my system, and delete userdata,
Because My server system is cluster file hosting, with many user and many files, and > 10 server, and wide more in the future.
So I very afraid have mistake with delete file.

Data is store by apache (upload form), so I only delete by apache right file, with shell script and php script from command line
I also have mistake with this case, my script delete also some system file!
So I need only apache right to delete data create by apache.
Top Expert 2007

Commented:
who is the owner of these temp files? if you run

ls -l fillename (put the name of some temp file here)

what do you get?
user "apache" is already present on your system,but it has no shell access by default. If you issue
cat /etc/passwd | grep apache
you will probably see:
apache:!!:48:48:Apache:/var/www:/sbin/nologin
/sbin/nologin means it has no access to any of the shells.You can change this by using your text editor and changing /etc/passwd ,so the line looks like:
apache:!!:48:48:Apache:/var/www:/bin/bash.
It should be OK now,and no errors should appear.

Author

Commented:
@ omarfarid:

[root@sv3 ~]# ls -l /mnt/weblog/
drwxr-xr-x 3 apache apache     60 Apr  3 19:47 cache
drwxr-xr-x 2 apache apache 315340 Jun 13 07:01 fileinfo
drwxr-xr-x 2 apache apache 369040 Jun 13 07:06 for_count
drwxr-xr-x 2 apache apache  13180 Jun 13 07:06 last-bonus
drwxr-xr-x 2 apache apache  11600 Jun 13 07:06 last-download
drwxr-xr-x 3 apache apache    140 Jun 13 03:36 tmp_iplg

I run cron hourly/daily command-script (with root right) to delete old file in these dirs (keep new file, not delete all), and some other dir/file with apache right, for example file upload by users.
So, I'm afraid this command (and other cron command in the future) may be delete wrong other file.
And because comand is automatic run daily, if it's mistake on big system, the result is very serious.

@pingvinos:
If this way have any risk? and this is normal way to use apache?

Top Expert 2007

Commented:
if your cron job is correctly written and being running for a while fine, then you should not have any issue in future. You can put the temp files in a separate dir (which I assume the case) and restrict that cron job to that dir.
Top Expert 2010

Commented:
A couple of alternetives, to allow the "apache" user-id to run your script:

usermod -s /bin/bash apache

# Or the following, run from the root crontab, will just delete the apache owned files in /mnt/weblog/


02 02 * * * find /mnt/weblog/ -user apache -type f -exec rm -f {} \; >/dev/null 2>/&1

# You may need to take Apache down before killing the logs, in which case why not add  find command above to the restart section of you /etc/init.t/apache* file
Hi again!
About the security for allowing the apache shell access,you can always deny user apache to log in remotely via ssh by placing
DenyUsers apache
directive in /etc/ssh/sshd_config file and then restarting sshd service.

But another idea came to me, I tested it and it works OK:
1)First you allow the apache use top access bash shell,either by manually editing /etc/passwd file or by using usermod -s /bin/bash apache.
2)Then you make the cron job by issuing command:
crontal -e
and placing the cron script in it,for example:
01 01 * * * rm -fr /mnt/weblog/*
which will erase the contents (but not the directory itself) of /mnt/weblog on 01:01AM every day.
3)Deny shell access to apache again
usermod -s /sbin/nologin apache

Et voila!The cron continues to run even though the shell access has been denied to apache user.

Author

Commented:
I already create apache user
But, why this command in crontab not run:

0 * * * * apache php /var/glx/bin/delete_tmp_file_hourly.php

while if I run direct, su with apache user, it run well: php /var/glx/bin/delete_tmp_file_hourly.php

Top Expert 2010

Commented:
If its the root crontab you'll want:

0 * * * * su apache -c php /var/glx/bin/delete_tmp_file_hourly.php >/tmp/tst.log 2>&1

If its the apache crontab you'll want:

0 * * * * php /var/glx/bin/delete_tmp_file_hourly.php >/tmp/tst.log 2>&1


Author

Commented:
@arober11:
0 * * * * su apache -c php /var/glx/bin/delete_tmp_file_hourly.php
I see this cron command  seem not run?
Top Expert 2010

Commented:
As your not re-directing the output to a log (Which you should) is there anything in the root maibox. As root type mailx.

Author

Commented:
I  not need redirect to root mail box?

And the crontab command not run with root right:
0 * * * * su apache -c php /var/glx/bin/delete_tmp_file_hourly.php
Top Expert 2010
Commented:
All un-redirected output from a cron job will be emailed to the owning user-id, as I believe the entry above is in the root crontab it will end up i the root inbox.

Author

Commented:
It not run, so it can not send mail?
(If it run, I see the result in my logfile)
Top Expert 2010

Commented:

Author

Commented:
@ arober11:
I don't need mail in this case
I only need script run with other acount (for example apache)

and this command not run

0 * * * * su apache -c php /var/glx/bin/delete_tmp_file_hourly.php
Commented:
visudo

username hostname=/etc/init.d/httpd start, /etc/init.d/httpd stop,/etc/init.d/httpd restart, /sbin/services httpd restart

sudo /etc/init.d/httpd restar

Author

Commented:
...