Rob van der Heij wrote:
On 7/11/06, John Summerfied <[EMAIL PROTECTED]> wrote:
Does "sudo service apache restart" work?
Don't see that on my SuSE system. There's rcapache but that is just a
symlink into /etc/init.d/apache so that does not buy anything. But as
I said, even if it were setting the PATH and what else you need done,
the security would be an illusion. The scripts are sourcing
configuration files so unless you also control those, it remains hard
to restrict access this way.
On RHL & derivatives, "service" is the "one true way" to run the init.d
scripts. I don't currently have a SUSE system to check for myself, but I
think it does have something.
Debian does, but it's got a long convoluted name I can never remember.
Have a look in /sbin, see if anything likely presents itself.
Don't get me wrong. I am a big fan of sudo. The automatic logging of
important commands is very useful to make you remember when you did
what, and sometimes why you did it. It also helps to educate
colleagues after you've been called in the middle of the night. I just
don't give much for restricting root access that way.
I'm happy with sudo, I'm just looking for a sane way to control it here.
I see the question of editing the contents of /etc/httpd (or whatever)
as entirely different from editing the contents of /etc/init.d; the
former doesn't provide an obvious way to run anything bad.
btw Apache doesn't _have_ to be run as root; you could tell the
developer he's running Apache as himself and using, say, port 3068.
Then, just don't use the standard scripts.
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
