Does anyone have another idea for giving an apache module the ability to have root access to /dev/ttyS0, without compromising the box?
Have you looked at apache suEXEC support? More info at:
http://httpd.apache.org/docs/1.3/suexec.html
Not sure if this is what you want, but using /etc/sudoers strikes me as odd. :)
Odd, yes, but it works. I was unaware of suEXEC. Ouch! It requires recompiling Apache. I should have clarified that I eventually want to market this application to people who are not able to recompile Apache.
A little more research just revealed that the '*' flag at the end of the sudoers line will allow me to pass variables on the command line. Thus I do not need the /tmp file.
This is the simplicity I'm looking for. Now it's down to two scripts and an entry in sudoers. Eliminating the /tmp file has eased my headache, although I still need to filter the variables coming in.
Thanks, Kyle. suEXEC will be useful for a server with multiple users needing this capability, but that is a little ways down the line yet.
-Jared
what is wrong with simply altering the permissions on the modem line? Or adding apache user to the uucp group?
David Nicol wrote:
what is wrong with simply altering the permissions on the modem line? Or adding apache user to the uucp group?
Hmmm. I tried both suggestions early on. Although I got a little further with the first, neither one worked.
Apparently there were more permissions involved than just the modem port, and I'm kinda stupid. Yet simply running the script as root worked. I'll look again at these options, as they are more elegant than what I have now.
-Jared
Ouch! It requires recompiling Apache.
Are you sure it requires recompiling? On most distros it should be a default module. In Debian I found it precompiled at: /usr/lib/apache2/modules/mod_suexec.so
Apache's docs are distro-agnostic and harken back to the days when every howto told you how to patch and recompile the kernel. (Those things persisted long after the modular kernel made it unnecessary.)
Aha! The plot thickens. Thank you, Jonathan. Indeed, I read the Apache docs and bailed on the idea because they mentioned recompiling. In fact, the module exists, at the same location you described, on a Gentoo box.
I think I can tinker with Kyle's proposal after all, as it appears that mod_suexec is ubiquitous.
Thank you, all who responded. I learned a lot, and now have three valid solutions to the problem.
-Jared
On Tuesday 20 March 2007 04:15:58 pm Jared wrote:
I should have clarified that I eventually want to market this application to people who are not able to recompile Apache.
In that case, you definitely want to find another way to give apache access to the port, preferably using a group membership.
Odd, yes, but it works. I was unaware of suEXEC. Ouch! It requires recompiling Apache. I should have clarified that I eventually want to market this application to people who are not able to recompile Apache.
Are you sure it requires recompiling? On most distros it should be a default module. In Debian I found it precomiled at:
/usr/lib/apache2/modules/mod_suexec.so
On Tuesday 20 March 2007 04:22:22 pm Kyle Sexton wrote:
Ouch! It requires recompiling Apache.
Are you sure it requires recompiling? On most distros it should be a default module. In Debian I found it precomiled at:
/usr/lib/apache2/modules/mod_suexec.so
Apache's docs are distro-agnostic and harken back to the days when every howto told you how to patch and recompile the kernel. (Those things persisted long after the modular kernel made it unnecessary.)
-
David Nicol -
Jared -
Jonathan Hutchins -
Kyle Sexton