Restart or reload Apache as "www-data" user
Since httpd binds to port 80 and 443, which are reserved, you need root privileges to restart them. That means that the user www-data
does not have sufficient rights to do so.
So what you need to do is to allow the user www-data
to run this command as root. You do that by adding this line to your sudo config (or to a separate file in /etc/sudoers.d
, if your system uses that):
www-data ALL = (root) NOPASSWD: /etc/init.d/apache2 reload
Your www-data
user will now be able to run this single command as root. You'll need to edit your script so that it contains
sudo /etc/init.d/apache2 reload
instead of just
/etc/init.d/apache2 reload.
It is possible that your system is configured to require a tty when using sudo. This is often done specifically to prevent scripts using sudo, since that is an attack vector. If that is the case, your sudoers file needs to be slightly more complex:
Cmnd_Alias APACHERELOAD = /etc/init.d/apache2 reload
Defaults!APACHERELOAD !requiretty
www-data ALL = (root) NOPASSWD: APACHERELOAD
This means that only the command /etc/init.d/apache2 reload
can be run without a tty being required.
Related videos on Youtube
bolino
Updated on September 18, 2022Comments
-
bolino over 1 year
I have a webhook script written in Python on my Debian/Apache2.4 server, so that it runs a deploy .sh script when pushing on GitHub. So, the script is executed by standard Apache user "www-data". My script needs to restart or reload Apache, but the output says user doesn't have the permission to do so:
Reloading apache2 configuration (via systemctl): apache2.serviceFailed to reload apache2.service: Access denied
. Same behaviour when doing it manually as www-data (sudo -u www-data /etc/init.d/apache2 reload
).So I tried to make "www-data" to have permissions to reload or restart Apache by adding the following line to my visudo :
www-data ALL = NOPASSWD: /etc/init.d/apache2
(according to this doc).But it doesn't change anything. Why? Is it because Apache can't reload itself? How can I change the permissions to do so? Or do I need the script to be executed by another user, and how?
-
bolino almost 6 yearsThanks for this explicative and complete answer. I just tried everything you said (including a reboot after editing sudoers), but I still get the same "access denied" error when trying to sudo -u www-data /etc/init.d/apache2 reload.
-
Jenny D almost 6 yearsCheck the systems log for error messages from sudo. Also for messages from selinux.
-
bolino almost 6 yearsSytem log says: "[system] Rejected send message, 2 matched rules; type="method_call", sender=":1.12" (uid=33 pid=3134 comm="systemctl reload apache2.service ") interface="org.freedesktop.systemd1.Manager" member="ReloadUnit" error name="(unset)" requested_reply="0" destination="org.freedesktop.systemd1" (uid=0 pid=1 comm="/sbin/init ")". Could it be because it is launched by a different uiud than the root's uiud?
-
bolino almost 6 yearsIt actually works, sorry. There was an error in my sudoers files about the tty. Thanks a lot!
-
Jenny D almost 6 yearsGlad it worked for you!