Step 1 Stop Apache and Coldfusion.
[root] # svcadm –v disable –s apache2
[root] # /etc/init.d/coldfusionmx7 stop
Step 2 Create separate Administrative Role
[root] # roleadd –g webservd –d /home/webadm –m webadm
[root] # passwd webadm
New Password:
Re-enter new Password:
Passwd: password successfully changed for webadm
[root] # usermod –R webadm mbaxter
Step 3 Create authorizations for webadm.
Add the following lines to /etc/security/auth_attr file in vi
[root] # vi /etc/security/auth_attr
sunw.*:::Custom Authorizations::
sunw.grant:::Grant Custom Authorizations::
sunw.smf.manage.http/apache2:::Manage the Apache2 Service::
sunw.smf.modify.application.http/apache2:::Modify the Apache2 Application Properties::
Assign new authorizations to root user by editing /etc/user_attr
[root] # vi /etc/user_attr
root::::auths=solaris.*,solaris.grant,sunw.*,sunw.grant;profiles=Web Console Management,All;lock_after_retries=no
Step 4 Grant SMF-Specific authorizations to webadm
[root] # rolemod –A sunw.smf.manage.http/apache2,sunw.smf.modify.application.http/apache2 webadm
Step 5 Configure Apache2 with reduced privileges and required authorizations.
[root] # svccfg –s apache2
Install new properties:
svc:/network/http:apache2> setprop httpd/value_authorization = astring:
sunw.smf.modify.application.http/apache2
svc:/network/http:apache2> setprop general/action_authorization = astring:
sunw.smf.manage.http/apache2
svc:/network/http:apache2> setprop general/value_authorization =
astring: sunw.smf.manage.http/apache2
Configure reduced privileges:
svc:/network/http:apache2> setprop start/user = astring: webservd
svc:/network/http:apache2> setprop start/group = astring: webservd
svc:/network/http:apache2> setprop start/privileges = astring: basic,!proc_session,!proc_info,!file_link_any,net_privaddr
svc:/network/http:apache2> setprop start/limit_privileges = astring: :default
svc:/network/http:apache2> setprop start/use_profile = boolean: false
svc:/network/http:apache2> setprop start/supp_groups = astring: :default
svc:/network/http:apache2> setprop start/working_directory = astring: :default
svc:/network/http:apache2> setprop start/project = astring: :default
svc:/network/http:apache2> setprop start/resource_pool = astring: :default
svc:/network/http:apache2> end
[root] # svcadm –v refresh apache2
Action refresh set for svc:/network/http:apache2.
Step 6 Change ownership of log files.
[root] # cd /var/apache2/logs
[root] # chown webservd:webservd access_log error_log
Step 7 Configure Pidfile and Lockfile location.
[root] # mkdir –p /var/apache2/run
[root] # chown webservd:webservd /var/apache2/run
[root] # vi /etc/apache2/httpd.conf
Make these changes:
LockFile /var/apache2/logs/accept.lock
PidFile /var/apache2/run/httpd.pid
Step 8 Create Coldfusion Profile by editing /etc/security/prof_attr with vi
[root] # vi /etc/security/prof_attr
Coldfusion Management:::Coldfusion Management Profile:
Step 9 Create Coldfusion executable attributes by editing /etc/security/exec_attr with vi
[root] # vi /etc/security/exec_attr
Coldfusion Management:solaris:cmd:::/etc/init.d/coldfusionmx7:uid=0
Step 10 Add Coldfusion Profile to webadm
[root] # rolemod –P “Coldfusion Management” webadm
Step 11 Change ownership of /etc/apache2 to webadm
[root] # chown –R webadm:webservd /etc/apache2
Step 12 Test configurations:
disabled - 14:41:05 - svc:/network/http:apache2
[root] # su – webadm
[webadm] # svcadm –v enable –s apache2
[webadm] # svcs –v apache2
online - Sep_21 112 svc:/network/http:apache2
[webadm] # /etc/init.d/coldfusionmx7 start
Step 13 Add users to webadm role.
[root] # usermod –R webadm mbaxter
Posts
No comments:
Post a Comment