×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

About Apache2 with RBAC

About Apache2 with RBAC

About Apache2 with RBAC

(OP)
Hi all,
I'm trying to configure Apache2 with RBAC for reduce some privileges and run this service only with user webservd
...but the parent process (root) still exists!

my steps:

CODE

# svcadm -v disable -s apache2

# svccfg -s apache2
svc:/network/http:apache2> setprop start/user = astring: webservd
svc:/network/http:apache2> setprop start/group = astring: webservd
svc:/network/http:apache2> setprop start/privileges = astring: basic,!proc_session,!proc_info,!file_link_any,net_privaddr
svc:/network/http:apache2> end

# svcadm -v refresh apache2

# svcprop apache2 | grep ^start
startd/ignore_error astring core,signal
start/exec astring /lib/svc/method/http-apache2\ start
start/timeout_seconds count 60
start/type astring method
start/user astring webservd
start/group astring webservd
start/privileges astring basic,!proc_session,!proc_info,!file_link_any,net_privaddr


# svcadm -v enable -s apache2

# ps -ef | grep apache2
webservd  4205  4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
    root  4204     1 0 19:03:21 ? 0:00 /usr/apache2/bin/httpd -k start
webservd  4209  4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
webservd  4208  4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
webservd  4206  4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
webservd  4207  4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
...and obviously...

CODE

# ppriv 4204
4204:    /usr/apache2/bin/httpd -k start
flags = <none>
    E: all
    I: basic
    P: all
    L: all
What's wrong?
Any idea?

PS: sorry about my english
 

RE: About Apache2 with RBAC

(OP)
Solved,

--- Now the user webservd has the ability to restart the service (with svcadm disable/restart..etc).

--- All Apache files, logs, conf., pid etc. are only owned by user webservd because I didn't created  other administrative roles (like svcadm or webdev)

--- Authorizations "sunw.smf.manage.http/apache2" and "sunw.smf.modify.application.http/apache2" have been applied to user webservd

CODE

# ps -ef | grep apache2
webservd  2599  2596   0 12:52:06 ?   0:00 /usr/apache2/bin/httpd -k start
webservd  2600  2596   0 12:52:06 ?   0:00 /usr/apache2/bin/httpd -k start
webservd  2597  2596   0 12:52:06 ?   0:00 /usr/apache2/bin/httpd -k start
webservd  2598  2596   0 12:52:06 ?   0:00 /usr/apache2/bin/httpd -k start
webservd  2601  2596   0 12:52:06 ?   0:00 /usr/apache2/bin/httpd -k start
webservd  2596     1   0 12:52:05 ?   0:00 /usr/apache2/bin/httpd -k start

# ppriv 2596
2596:   /usr/apache2/bin/httpd -k start
flags = <none>
        E: basic,!file_link_any,net_privaddr,!proc_info,!proc_session
        I: basic,!file_link_any,net_privaddr,!proc_info,!proc_session
        P: basic,!file_link_any,net_privaddr,!proc_info,!proc_session
        L: all

# netstat -naf inet | grep '*.80'
     *.80                 *.*                0      0 49152      0 LISTEN
 

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close