2.4.4 Operation by general user account
For HTTP Server, normal operation is assumed to be operation by the superuser.
When HTTP Server is installed, various settings are configured for operation by the superuser.
Thus, when users other than the superuser (hereafter referred to as general users) operate HTTP Server, they need to change the settings file for HTTP Server and settings in related directories and files. For some functionality in HTTP Server, some operations are restricted from general users.
This section describes the differences between the superuser and general users, and methods to create an environment for general users to operate HTTP Server, and the restrictions thereof.
- Organization of this subsection
(1) Permissions for each process
The following table lists the permissions of each process for operation by the superuser or general users.
No. |
Process |
Operation by the superuser |
Operation by general users |
---|---|---|---|
1 |
Control process |
Superuser |
General user |
2 |
rotatelogs and rotatelogs2 processes |
||
3 |
Server process |
Users or groups specified in the User and Group directives |
|
4 |
CGI process |
(2) Differences between the superuser and general users in UNIX
In UNIX, unlike general users, the superuser has system administrator permissions. The following table lists examples of the differences between the superuser and general users in UNIX.
No. |
Item |
Superuser |
General user |
---|---|---|---|
1 |
Can stop processes that were started by users? |
Yes |
No |
2 |
Can open well-known ports (ports 1023 and lower)? |
Yes |
No |
3 |
Can access files that do not explicitly have read or write permissions? |
Yes |
No |
If a general user operates HTTP Server, because the control process in HTTP Server operates with general user permission, the behavior in this case might differ from operation by the superuser. Therefore, if a general user operates HTTP Server, the user needs to create an environment while considering the differences with the superuser.
(3) Changing resource owners and groups
In UNIX, you can change resource owners and groups for content and settings files for HTTP Server, and for files and directories accessed by HTTP Server during operation.
At the minimum, you will need to change the resources under the installation directory (/opt/hitachi/httpsd).
If you want to restore resource owners and groups to the previous settings, save the owners and groups for the current resources before making changes.
The superuser can save owners and groups. The following is an example of how to do this.
Example:
For the resources under the /opt/hitachi/httpsd directory, create a list of owners and groups.
ls -laR /opt/hitachi/httpsd
The superuser can change owners and groups. The following is an example of how to do this.
Example:
For the resources under the /opt/hitachi/httpsd directory, change the owner (hwsuser) and the group.
chown -R hwsuser:hwsgroup /opt/hitachi/httpsd
(4) Starting httpsd
Use the general user who operates HTTP Server to start httpsd.
To stop or restart httpsd, use the general user who started httpsd.
(5) Restrictions
The commands below cannot be operated by general users. Operate these commands as the superuser.
-
htpasswd
-
hwscollect
-
hwsserveredit
-
logresolve
-
openssl.sh
In operation by general users, the following directives cannot be specified. Any directive specified by general users is ignored.
-
Group
-
User
In operation by general users, well-known ports (ports 1023 and lower) cannot be opened.
Be careful when specifying the port number in the following directives:
-
Listen
-
Port