Recommended best practices or guides

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Recommended best practices or guides

Niranjan Rao
Greeting,


On Ubuntu 18.04, Apache version 2.4.29, all packages installed from
standard repositories and no customization.


We have a need to allow certain group of people to perform operations
such as start/stop/reload etc. Traditionally these operations are
performed using sudo command e.g. sudo service apache2 start. These
people don't need full sudo permissions. All they need is apache related
permissions. We can tinker with an entry in sudoers.d and grant required
permissions - but permissions need to be granted to "service" command


Root problem I am trying to solve is dynamically managing instance from
Amazon ec2 and adding/removing it from traffic. Right now we have a list
of balancer members and this list needs to managed. This is QA related
activity where we start/stop instance as per need using bunch of
scripts. Since IP address keeps changing, we have to manage balancer
configuration. We have not yet got around automating balancer manager
operations and looking for easier way out.


Are there any recommended best practices or guides to allow these kinds
of granular permissions? My searches so far has revealed commands using
sudo.


Regards,


Niranjan


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Recommended best practices or guides

Martin Drescher-2
On 29.09.20 16:33, Niranjan Rao wrote:
> Greeting,
[...]
> Are there any recommended best practices or guides to allow these kinds of granular permissions? My searches so far has revealed commands using sudo.
>
>
> Regards,
>
>
> Niranjan

Unfortunately sudo supports no regular expressions. However, with wildcards, which does work in a sudoers file, you can construct almost any command you may need. It will not look pretty, but it will work.
Use the Cmnd_Alias, avoid Asterisk!

--

 Martin


signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Recommended best practices or guides

@lbutlr
In reply to this post by Niranjan Rao
On 29 Sep 2020, at 08:33, Niranjan Rao <[hidden email]> wrote:
> We have a need to allow certain group of people to perform operations such as start/stop/reload etc. Traditionally these operations are performed using sudo command e.g. sudo service apache2 start. These people don't need full sudo permissions. All they need is apache related permissions. We can tinker with an entry in sudoers.d and grant required permissions - but permissions need to be granted to "service" command

Write a command (a simple shell script) that executes the command you want to allow, for example, /usr/local/bin/starta2 => "sudo apache2 start" and grant the user access to that script in the shudders file.

Repeat with other commands.

Make sure the script(s) is owned by root and has permissions 0700.

> Are there any recommended best practices or guides to allow these kinds of granular permissions? My searches so far has revealed commands using sudo.

Sudo is the way to do this, but to restrict specific commands to specific options, you have to to a little two-step.

I do something like this to allow an unprivilegeduser to start rsnapshot.



--
"He uses statistics as a drunken man uses lamp-posts... for support
        rather than illumination." - Andrew Lang (1844-1912)


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Issues with proxypass

Daniel Armando Rodriguez
Hi there

I've been stuck with this problem for several days now.
The main website/DNS is hosted on a VPS, and the web server I want to reach is behind a remote IP:Port.
With configuration below I get a permanent 302 and the traffic is redirected to www.domain.edu. Even if I use, for example, the flag R=301. I also tried with P instead of R, but the result is still the same.
The remote server has ProxyPass configured because it is an application developed by a third party that works that way. Could the problem be there?
I really don't know where to look at this point, I'm dizzy.

<Macro MacroInternalApp ${RemoteAddress} ${DirApp1} ${DirApp2}>
<VirtualHost *:80>
    Serveralias sub.domain.edu

    ProxyPreserveHost On
    ProxyRequests Off
    RewriteEngine  on
    RewriteCond %{QUERY_STRING} (.*(?:^|&))(ai=InternalApp(?:\|\||\%7C\%7C))(110000003)((?:&|$).*)
    RewriteRule ^(${DirApp1}aplication.php)$  ${RemoteAddress}/$1?%1  [R]
    ProxyPassMatch ^(${DirApp1}(?:fwa|skins|img|css|temp|js|rest).*)$ "${RemoteAddress}/$1"  
    ProxyPassMatch ^(${DirApp2}(?:fwa|skins|img|css|temp|js|rest).*)$ "${RemoteAddress}/$1"
    ProxyPassReverse "/" "${RemoteAddress}/"

    ErrorLog ${APACHE_LOG_DIR}/error_InternalApp.log
    CustomLog ${APACHE_LOG_DIR}/access_InternalApp.log combined

</VirtualHost>
</Macro>

Use MacroInternalApp http://1.2.3.4:8081 /App/1/Dir/ /App/2/Dir/
UndefMacro MacroInternalApp


Thanks in advance


_______________________________________________
Daniel A. Rodriguez
Departamento de Tecnología para la Gestión
Escuela Provincial de Educación Técnica N° 1
Posadas - Misiones - Argentina
(0376) 443-8578
www.epet1.edu.ar