Ubuntu configures sudo permissions for common users.

Sudo is a common tool in linux that allows common users to use superuser permissions. By default, Ubuntu disables root login. You can switch to root through sudo-I. If only www users are allowed to restart the apache service, you can configure/etc/sudoers. This requirement can be implemented after the modifications are made below.

You can modify/etc/sudoers by using mongodo. The advantage is that if the rule write does not meet the requirements, he can prompt you. The disadvantage is that the nano editor is called out, which is quite difficult. In my personal preferences, I use javasdo-f/etc/sudoers to open the configuration.

First, check the default sudoers configuration of Ubuntu. The content is as follows.

#
# This file MUST be edited with the 'mongodo 'command as root.
#
# Please consider adding local content in/etc/sudoers. d/instead
# Directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults secure_path = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
Root ALL = (ALL: ALL) ALL
# Members of the admin group may gain root privileges
% Admin ALL = (ALL) ALL
# Allow members of group sudo to execute any command
% Sudo ALL = (ALL: ALL) ALL
# See sudoers (5) for more information on "# include" directives:
# Includedir/etc/sudoers. d

Then add several alias, which makes it easier to configure the permission below, without having to write the configuration of a large segment.

# Host alias specification
Host_Alias SERVER = 192.168.188.115
# User alias specification
User_Alias USER_FLAG = www, tomcat
# Cmnd alias specification
Cmnd_Alias RESTARTAPACHE = service apache2 restart
Cmnd_Alias STOPAPACHE = service apache2 stop
Cmnd_Alias STARTAPACHE = service apache2 start
Configure the execution permission.

# User privilege specification
Root ALL = (ALL: ALL) ALL
USER_FLAG SERVER = RESTARTAPACHE, STOPAPACHE, STARTAPACHE

Finally, add log Records to record sudo execution logs for each user.

Defaults @ SERVER log_host, logfile =/var/log/sudo. log

View configuration results:

Root @ ubuntu :~ # Su-tomcat
Tomcat @ ubuntu :~ $ Sudo service apache2 stop
[Sudo] password for tomcat:
Httpd: cocould not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Tomcat @ ubuntu :~ $ Ps-ef | grep apache
Tomcat 26247 1 0? 00:01:38/usr/lib/jvm/jdk1.7.0 _ 45 // bin/java-Djava. util. logging. config. file =/usr/local/tomcat7/conf/logging. properties-Djava. util. logging. manager = org. apache. juli. classLoaderLogManager-server-Xms800M-Xmx1024M-XX: MaxPermSize = 512 M-Dfile. encoding = utf-8-Djava. endorsed. dirs =/usr/local/tomcat7/endorsed-classpath/usr/local/tomcat7/bin/bootstrap. jar:/usr/local/tomcat7/bin/tomcat-juli.jar-Dcatalina. base =/usr/local/tomcat7-Dcatalina. home =/usr/local/tomcat7-Djava. io. tmpdir =/usr/local/tomcat7/temp org. apache. catalina. startup. bootstrap start
Tomcat 27905 27848 0 00:00:00 pts/0 grep apache
Tomcat @ ubuntu :~ $ Sudo service apache2 start
Httpd: cocould not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Tomcat @ ubuntu :~ $ Ps-ef | grep apache
Tomcat 26247 1 0? 00:01:38/usr/lib/jvm/jdk1.7.0 _ 45 // bin/java-Djava. util. logging. config. file =/usr/local/tomcat7/conf/logging. properties-Djava. util. logging. manager = org. apache. juli. classLoaderLogManager-server-Xms800M-Xmx1024M-XX: MaxPermSize = 512 M-Dfile. encoding = utf-8-Djava. endorsed. dirs =/usr/local/tomcat7/endorsed-classpath/usr/local/tomcat7/bin/bootstrap. jar:/usr/local/tomcat7/bin/tomcat-juli.jar-Dcatalina. base =/usr/local/tomcat7-Dcatalina. home =/usr/local/tomcat7-Djava. io. tmpdir =/usr/local/tomcat7/temp org. apache. catalina. startup. bootstrap start
Root 27910 1 0 11: 35? 00:00:00/usr/local/apache2/bin/httpd-k start
Www 27911 27910 0? 00:00:00/usr/local/apache2/bin/httpd-k start
Www 27912 27910 0? 00:00:00/usr/local/apache2/bin/httpd-k start
Www 27913 27910 0? 00:00:00/usr/local/apache2/bin/httpd-k start
Www 27914 27910 0? 00:00:00/usr/local/apache2/bin/httpd-k start
Www 27915 27910 0? 00:00:00/usr/local/apache2/bin/httpd-k start
Tomcat 27917 27848 0 00:00:00 pts/0 grep apache
Tomcat @ ubuntu :~ $ Sudo-I
Sorry, user tomcat is not allowed to execute '/bin/Bash' as root on ubuntu.
Tomcat @ ubuntu :~ $ Logout
Root @ ubuntu :~ # More/var/log/sudo. log
May 11 11:35:42: tomcat: HOST = ubuntu: TTY = pts/0; PWD =/home/tomcat;
USER = root; COMMAND = service apache2 stop
May 11 11:35:49: tomcat: HOST = ubuntu: TTY = pts/0; PWD =/home/tomcat;
USER = root; COMMAND = service apache2 start
May 11 11:35:54: tomcat: HOST = ubuntu: command not allowed; TTY = pts/0;
PWD =/home/tomcat; USER = root; COMMAND =/bin/bash