Re: starting apache

Dominic Coulombe wrote: On 7/11/06, John Summerfied <[EMAIL PROTECTED]> wrote: Rob van der Heij wrote: On RHL & derivatives, "service" is the "one true way" to run the init.d scripts. I don't currently have a SUSE system to check for myself, but I think it does have something. You just ha

Re: starting apache

It seems that option appeared with version 1.6.8. It is available on SLE[SD} 10. Mark Post -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Rob van der Heij Sent: Tuesday, July 11, 2006 2:42 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: starting apache

Re: starting apache

On Tuesday 11 July 2006 02:41, Rob van der Heij wrote: >On 7/11/06, Rick Troth <[EMAIL PROTECTED]> wrote: >> Consider what Kris said about the '-i' flag on 'sudo'. > >It appears there's no such flag in the sudo that I have with SuSE so I >can't tell. I like using sudo to control root access for

Re: starting apache

On 7/11/06, John Summerfied <[EMAIL PROTECTED]> wrote: Rob van der Heij wrote: On RHL & derivatives, "service" is the "one true way" to run the init.d scripts. I don't currently have a SUSE system to check for myself, but I think it does have something. You just have to run rcapache restart

Re: starting apache

Dominic Coulombe wrote: The C program is a good idea but : 1) remove the gcc and other build tools after the development ! 2) you will still need Tripwire to be sure nobody replaces your binary... or use a RR dasd. The SETUID bit is a good idea if you are sure that the binary is not modified

Re: starting apache

Rob van der Heij wrote: On 7/11/06, Rick Troth <[EMAIL PROTECTED]> wrote: Consider what Kris said about the '-i' flag on 'sudo'. It appears there's no such flag in the sudo that I have with SuSE so I can't tell. It's fairly new: not in RHEL 4 or Fedora Core 3. I think SUSE 10 has it, D

Re: starting apache

Rob van der Heij wrote: On 7/11/06, John Summerfied <[EMAIL PROTECTED]> wrote: Does "sudo service apache restart" work? Don't see that on my SuSE system. There's rcapache but that is just a symlink into /etc/init.d/apache so that does not buy anything. But as I said, even if it were setting

Re: starting apache

The C program is a good idea but : 1) remove the gcc and other build tools after the development ! 2) you will still need Tripwire to be sure nobody replaces your binary... or use a RR dasd. The SETUID bit is a good idea if you are sure that the binary is not modified by a malicious user. A q

Re: starting apache

> Consider letting the user only executing your own hardened scripts > that does not require ANY environment variables - hardcode every > binary path - and do run Tripwire to verify that nobody alters the > critical files on the system. If you do not want to run Tripwire, > just put the scripts an

Re: starting apache

Hi, There is a lot of critical stuff in /sbin and /usr/sbin... First, you need to fully harden the Linux installation. The lesser you have packages, the better you are protected against vulnerabilities. I would definitely not let non-admin user run the whole thing on these folders... I'm neit

Re: starting apache

On 7/11/06, Rick Troth <[EMAIL PROTECTED]> wrote: Consider what Kris said about the '-i' flag on 'sudo'. It appears there's no such flag in the sudo that I have with SuSE so I can't tell. I believe my approach with coding su for one command is similar in effect? And even the auditing is as

Re: starting apache

> I'd argue that these are bugs that should be fixed, not ignored. The > Debian init scripts function properly using sudo because they're > required to. Apparently the SuSE ones still need a little work. ... David ... Personally, I try to code for more robust behaviour, but I cannot fault SuSE

Re: starting apache

On 7/11/06, John Summerfied <[EMAIL PROTECTED]> wrote: Does "sudo service apache restart" work? Don't see that on my SuSE system. There's rcapache but that is just a symlink into /etc/init.d/apache so that does not buy anything. But as I said, even if it were setting the PATH and what else you

Re: starting apache

Rob van der Heij wrote: On 7/10/06, David Boyes <[EMAIL PROTECTED]> wrote: That's why you allow them only the init script. The init template provided with most distributions does not depend on the environment beyond the basics. If you let them run a shell in any form, then yes, you will lose.

Re: starting apache

Dominic Coulombe wrote: Hi Alan, I would use "sudo" for this purpose. You can configure this user to execute only selected commands as root. The user only need to provide his own password. Every attemps to run unallowed commands is reported (logged). You can allow the startup/shutdown script

Re: starting apache

> You made me double check, and I found I was indeed right... I was sure you would...8-) > [EMAIL PROTECTED]:~> sudo /etc/init.d/apache restart > Shutting down httpd/etc/init.d/apache: line 158: killproc: command not > found > > failed > Starting httpd [ Mailman PERL PHP4 Python ]/etc/init.d/ap

Re: starting apache

Many problems with running scripts like this through sudo can often be solved by using the -i option to sudo, to force the script to run in a like-login environment for the user sudo is going to execute as (root in this case). Kris On Mon, Jul 10, 2006 at 02:18:13PM -0400, David Boyes wro

Re: starting apache

On 7/10/06, David Boyes <[EMAIL PROTECTED]> wrote: That's why you allow them only the init script. The init template provided with most distributions does not depend on the environment beyond the basics. If you let them run a shell in any form, then yes, you will lose. You made me double check

Re: starting apache

by: Linux on 390 Port 07/10/2006 01:56 PM Please respond to Linux on 390 Port From Rob van der Heij <[EMAIL PROTECTED]> To LINUX-390@VM.MARIST.EDU cc Subject Re: starting apache On 7/10/06, David Boyes <[EMAIL PROTECTED]> wrote: > That's why you allow them only the init

Re: starting apache

> While I have not looked at the apache boot script, with most of them > it does not work because the script was supposed to run as root and > expects the typical root environment (e.g. for the PATH). If you end > up allowing them to do somehting likesudo sh -c > '/etc/init.d/apache start' Tha

Re: starting apache

On 7/10/06, David Boyes <[EMAIL PROTECTED]> wrote: Use sudo and permit them to run the init script in /etc/init.d. Install the sudo package and 'man sudo'. Be aware that sudo is only as secure as the command you let them invoke. When the customer also has write access to some of the configurat

Re: starting apache

I found it. Thanks to all. Alan Levy W: 718-403-8020 C: 347-401-4629 -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of David Boyes Sent: Monday, July 10, 2006 11:52 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: starting apache It should be on your

Re: starting apache

It should be on your distribution media. > Where can I find sudo for s390 ? Is there an RPM somewhere ? -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LI

Re: starting apache

essage- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of David Boyes Sent: Monday, July 10, 2006 11:42 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: starting apache > One of my clients has a request that his users not be given root access > but should be allowed to stop/sta

Re: starting apache

Where can I find sudo for s390 ? Is there an RPM somewhere ? Alan Levy W: 718-403-8020 C: 347-401-4629 -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of David Boyes Sent: Monday, July 10, 2006 11:42 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: starting

Re: starting apache

Hi Alan, I would use "sudo" for this purpose. You can configure this user to execute only selected commands as root. The user only need to provide his own password. Every attemps to run unallowed commands is reported (logged). You can allow the startup/shutdown script to be run by this user,

Re: starting apache

> One of my clients has a request that his users not be given root access > but should be allowed to stop/start the httpd process. > Does anyone have any suggestions/documentation on how to do this ? Use sudo and permit them to run the init script in /etc/init.d. Install the sudo package and 'man

starting apache

One of my clients has a request that his users not be given root access but should be allowed to stop/start the httpd process. Does anyone have any suggestions/documentation on how to do this ? TIA -- For LINUX-

Incomplete YaST installation (Was: Starting apache problem)

At 17:38 31-07-02 -0400, Post, Mark K wrote: >Install mm-1.1.3-35.s390.rpm off CD2 A popular way to get into this unpleasant situation is when the mount points for your SuSE ISO images do not match the original names that SuSE used. Each ISO image has a copy of an index that lists the packages

Re: FW: Starting apache problem (re-sent)

gt; search of the archive never get an answer either. > > -Original Message- > From: Kittendorf, Craig [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, July 31, 2002 4:34 PM > To: [EMAIL PROTECTED] > Subject: Starting apache problem > > > I am installing the beta

Re: Starting apache problem

Now I got your response, only two days later. Thanks, Craig -Original Message- From: Post, Mark K [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 5:39 PM To: [EMAIL PROTECTED] Subject: Re: Starting apache problem Install mm-1.1.3-35.s390.rpm off CD2. Mark Post

Starting apache problem

I am installing the beta SuSE SLES. Trying to start apache I get the following: cdcl:~ # rcapache start Starting httpd [ LDAP PERL ] /usr/sbin/httpd: error while loading shared libraries: libmm.so.11: cannot load shared object file: No such file or directoryunused cdcl:~

Re: Starting apache problem (re-sent)

, Alpha and SPARC - so it's available for all supported SuSE architectures except S/390. Mark Post -Original Message- From: Kittendorf, Craig [mailto:[EMAIL PROTECTED]] Sent: Friday, August 02, 2002 3:50 PM To: [EMAIL PROTECTED] Subject: FW: Starting apache problem (re-sent) Any on

FW: Starting apache problem (re-sent)

TECTED] Subject: Starting apache problem I am installing the beta SuSE SLES. Trying to start apache I get the following: cdcl:~ # rcapache start Starting httpd [ LDAP PERL ] /usr/sbin/httpd: error while loading shared libraries: libmm.so.11: cannot load shared object file: No such fi

FW: Starting apache problem (re-sent)

bject: Starting apache problem I am installing the beta SuSE SLES. Trying to start apache I get the following: cdcl:~ # rcapache start Starting httpd [ LDAP PERL ] /usr/sbin/httpd: error while loading shared libraries: libmm.so.11: cannot load shared object file: No such file or dire

Re: Starting apache problem

Post, Mark K wrote: > Install mm-1.1.3-35.s390.rpm off CD2. This version has a temporary file vulnerability which can be exploited to gain root access. You should not install this version on a public web server since this race could be used in conjunction with a remote exploit for Apache (e.g. b

Re: Starting apache problem

Install mm-1.1.3-35.s390.rpm off CD2. Mark Post -Original Message- From: Kittendorf, Craig [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 4:34 PM To: [EMAIL PROTECTED] Subject: Starting apache problem I am installing the beta SuSE SLES. Trying to start apache I get the

Starting apache problem

> I am installing the beta SuSE SLES. Trying to start apache I get the > following: > > cdcl:~ # rcapache start > Starting httpd [ LDAP PERL ] > > /usr/sbin/httpd: error while loading shared libraries: libmm.so.11: cannot > load > shared object file: No such file or directory > unused > cdcl:~ #