On 7/10/06, David Boyes <[EMAIL PROTECTED]> wrote:
Use sudo and permit them to run the init script in /etc/init.d. Install the sudo package and 'man sudo'.
Be aware that sudo is only as secure as the command you let them invoke. When the customer also has write access to some of the configuration files (which you're probably forced to do, otherwise the need to restart is hard to justify) then they can make the script do anything they like. While I have not looked at the apache boot script, with most of them it does not work because the script was supposed to run as root and expects the typical root environment (e.g. for the PATH). If you end up allowing them to do somehting like sudo sh -c '/etc/init.d/apache start' The good thing about sudo is that it provides auditing. In some environments it works to let people invoke any command through sudo but request a justification afterwards if it's beyond the agreed commands. Another option might be to provide the customer an easy interface to request actions like restarting a service. This way you avoid the open interfaces that allow for all kind of tampering. You could host that interface on VM (and use SCIF) or another web server on the Linux server. Rob -- Rob van der Heij Velocity Software, Inc http://velocitysoftware.com/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
