Delegating Apache administration privileges

The following assumes a standard Debian Apache setup.

Contents

  1. Delegating Apache administration privileges
    1. Create a group
    2. Give sudo privileges
    3. Enable ACLs
    4. Grant file permissions
      1. apache2
      2. libapache2-mod-suphp
      3. squirrelmail
      4. phpbb2

Create a group

First, catch your first-year. 

$ sudo addgroup techteam-web
$ sudo adduser reallykeenfirstyear techteam-web

Give sudo privileges

$ sudo visudo

And add, in the appropriate places: 

User_Alias      APACHE_ADMINS = %techteam-web
Cmnd_Alias      APACHE = /etc/init.d/apache2, \
                         /usr/sbin/a2enmod, /usr/sbin/a2dismod, \
                         /usr/sbin/a2ensite, /usr/sbin/a2dissite
APACHE_ADMINS   ALL = APACHE

Enable ACLs

Need be done only once per server.

This assumes an ext3 filesystem for / and /var - for instance, xfs filesystems don't need 'acl' adding. 

$ sudo vim /etc/fstab   # and add ``,acl'' to the options of / and /var
$ sudo mount -o remount,acl /
$ sudo mount -o remount,acl /var
$ sudo aptitude install acl     # if not installed already

Grant file permissions

Note that any new directories created in either of these directory hierarchies will require +x to be granted again.

apache2

Allow write permissions on configuration files: 

$ sudo setfacl -R -m g:techteam-web:rw -m d:g:techteam-web:rw /etc/apache2
$ sudo setfacl -m g:techteam-web:rwx /etc/apache2
$ sudo setfacl -m g:techteam-web:rwx /etc/apache2/conf.d
$ sudo setfacl -m g:techteam-web:rwx /etc/apache2/sites-available
$ sudo setfacl -m g:techteam-web:rwx /etc/apache2/sites-enabled
$ sudo setfacl -m g:techteam-web:rwx /etc/apache2/mods-available
$ sudo setfacl -m g:techteam-web:rwx /etc/apache2/mods-enabled

Allow read permissions on all log files: 

$ sudo setfacl -R -m g:techteam-web:r -m d:g:techteam-web:r /var/log/apache2
$ sudo setfacl -m g:techteam-web:rx /var/log/apache2

libapache2-mod-suphp

Note that mod_suphp has its own config files: 

$ sudo setfacl -R -m g:techteam-web:rw -m d:g:techteam-web:rw /etc/suphp
$ sudo setfacl -m g:techteam-web:rwx /etc/suphp

And log files: 

$ sudo setfacl -R -m g:techteam-web:r -m d:g:techteam-web:r /var/log/suphp
$ sudo setfacl -m g:techteam-web:rx /var/log/suphp

squirrelmail

$ sudo setfacl -R -m g:techteam-web:rw -m d:g:techteam-web:rw /etc/squirrelmail
$ sudo setfacl -m g:techteam-web:rwx /etc/squirrelmail

phpbb2

$ sudo setfacl -R -m g:techteam-web:rw -m d:g:techteam-web:rw /etc/phpbb2
$ sudo setfacl -m g:techteam-web:rwx /etc/phpbb2

CategoryDelegation CategoryTechTeam

Wuglug Wiki: Apache/DelegatingPrivileges (last edited 2007-05-04 22:35:16 by 137)