Restart or reload Apache as "www-data" user

linux apache-2.4 permissions bash sudo

6,098

Since httpd binds to port 80 and 443, which are reserved, you need root privileges to restart them. That means that the user www-data does not have sufficient rights to do so.

So what you need to do is to allow the user www-data to run this command as root. You do that by adding this line to your sudo config (or to a separate file in /etc/sudoers.d, if your system uses that):

www-data ALL = (root) NOPASSWD: /etc/init.d/apache2 reload

Your www-data user will now be able to run this single command as root. You'll need to edit your script so that it contains

sudo /etc/init.d/apache2 reload

instead of just

/etc/init.d/apache2 reload.

It is possible that your system is configured to require a tty when using sudo. This is often done specifically to prevent scripts using sudo, since that is an attack vector. If that is the case, your sudoers file needs to be slightly more complex:

Cmnd_Alias APACHERELOAD = /etc/init.d/apache2 reload
Defaults!APACHERELOAD !requiretty
www-data ALL = (root) NOPASSWD: APACHERELOAD

This means that only the command /etc/init.d/apache2 reload can be run without a tty being required.

6,098

bolino

Updated on September 18, 2022

Comments

bolino over 1 year

I have a webhook script written in Python on my Debian/Apache2.4 server, so that it runs a deploy .sh script when pushing on GitHub. So, the script is executed by standard Apache user "www-data". My script needs to restart or reload Apache, but the output says user doesn't have the permission to do so: Reloading apache2 configuration (via systemctl): apache2.serviceFailed to reload apache2.service: Access denied. Same behaviour when doing it manually as www-data (sudo -u www-data /etc/init.d/apache2 reload).

So I tried to make "www-data" to have permissions to reload or restart Apache by adding the following line to my visudo : www-data ALL = NOPASSWD: /etc/init.d/apache2 (according to this doc).

But it doesn't change anything. Why? Is it because Apache can't reload itself? How can I change the permissions to do so? Or do I need the script to be executed by another user, and how?
bolino almost 6 years

Thanks for this explicative and complete answer. I just tried everything you said (including a reboot after editing sudoers), but I still get the same "access denied" error when trying to sudo -u www-data /etc/init.d/apache2 reload.
Jenny D almost 6 years

Check the systems log for error messages from sudo. Also for messages from selinux.
bolino almost 6 years

Sytem log says: "[system] Rejected send message, 2 matched rules; type="method_call", sender=":1.12" (uid=33 pid=3134 comm="systemctl reload apache2.service ") interface="org.freedesktop.systemd1.Manager" member="ReloadUnit" error name="(unset)" requested_reply="0" destination="org.freedesktop.systemd1" (uid=0 pid=1 comm="/sbin/init ")". Could it be because it is launched by a different uiud than the root's uiud?
bolino almost 6 years

It actually works, sorry. There was an error in my sudoers files about the tty. Thanks a lot!
Jenny D almost 6 years

Glad it worked for you!