Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Users
Script behaving differently when run by Apache and when run from a shell by user www-data?
sa212+apache at cyconix
Jan 23, 2024, 11:02 AM
Post #1 of 5 (277 views)
Permalink
The CGI Howto page contains some basic information on how Apache
actually runs a program, but is there any more detailed information
anywhere?

Specifically, I have a problem where a bash script runs as expected when
run from an interactive shell by user www-data (this is Ubuntu).
However, the script behaves differently when run via Apache from a web
client. This is nothing to do with PATH or envvar differences: when run
by Apache, an operation to unmount a disk appears to succeed, but
actually doesn't unmount the disk. When run from the interactive shell,
as the same user, the operation unmounts the disk.

This is a basic Apache install on Ubuntu 22.04 - no suexec, no chroot,
plain CGI, etc. I've been running scripts via Apache this way for years,
but this is the first script which attempts to carry out disk
operations. All these scripts appear in the sudoers file to allow Apache
to carry out specific privileged operations.

I asked this question <https://unix.stackexchange.com/q/767587/212513>
today on StackExchange (https://unix.stackexchange.com/q/767587/212513,
if the link is scrubbed), with much more detail, but I think that was
probably the wrong place to ask.

 Thanks.
Re: Script behaving differently when run by Apache and when run from a shell by user www-data? [ In reply to ]
thumbs at apache
Jan 23, 2024, 11:07 AM
Post #2 of 5 (277 views)
Permalink
On Tue, Jan 23, 2024 at 2:02?PM EML <sa212+apache@cyconix.com> wrote:

> The CGI Howto page contains some basic information on how Apache actually
> runs a program, but is there any more detailed information anywhere?
>
> Specifically, I have a problem where a bash script runs as expected when
> run from an interactive shell by user www-data (this is Ubuntu). However,
> the script behaves differently when run via Apache from a web client. This
> is nothing to do with PATH or envvar differences: when run by Apache, an
> operation to unmount a disk appears to succeed, but actually doesn't
> unmount the disk. When run from the interactive shell, as the same user,
> the operation unmounts the disk.
>
> This is a basic Apache install on Ubuntu 22.04 - no suexec, no chroot,
> plain CGI, etc. I've been running scripts via Apache this way for years,
> but this is the first script which attempts to carry out disk operations.
> All these scripts appear in the sudoers file to allow Apache to carry out
> specific privileged operations.
>
> I asked this question <https://unix.stackexchange.com/q/767587/212513>
> today on StackExchange (https://unix.stackexchange.com/q/767587/212513,
> if the link is scrubbed), with much more detail, but I think that was
> probably the wrong place to ask.
>
> Thanks.
>

Let's take a step back - why are you unmounting from a cgi script?
Re: Script behaving differently when run by Apache and when run from a shell by user www-data? [ In reply to ]
sa212+apache at cyconix
Jan 23, 2024, 12:58 PM
Post #3 of 5 (277 views)
Permalink
>
> IMO suexec would be better suited to handle more sensitive operations
> such as unmounting.
>
> CGI is not an interactive shell, as you discovered.
>
> Calling a separate script with the suid bit might work too.

But I don't need an interactive shell: I need a way to run a script as
user www-data, which is what CGI is for. I tested the script in an
interactive shell because that's the easy way to run a script as user
www-data.

What's interesting here is that CGI appears to be doing something more
complex than simply forking a process. The script which is the problem
has an EUID of 0, so why can't it unmount a filesystem? Have I just
messed up (probably?) Or has Apache run me /without/ CAP_SYS_ADMIN? If
so, how and why? Maybe this is unlikely, but if it happens, it should be
documented. If this, or something similar, doesn't happen, then I know
that the problem is my fault.
Re: Script behaving differently when run by Apache and when run from a shell by user www-data? [ In reply to ]
pacurry at tsc
Jan 24, 2024, 5:47 AM
Post #4 of 5 (269 views)
Permalink
On 1/23/2024 3:58 PM, EML wrote:

> What's interesting here is that CGI appears to be doing something more
> complex than simply forking a process. The script which is the problem
> has an EUID of 0, so why can't it unmount a filesystem? Have I just
> messed up (probably?) Or has Apache run me /without/ CAP_SYS_ADMIN? If

Or is Apache in an isolated namespace, making its mount and unmount
operations invisible to most other processes?

You can investigate by comparing what /proc/$$/ns/mnt looks like inside
and outside the problematic script. If this is the case, you might need
to use nsenter(1) to access the namespace(s) in which you want your
unmount to take effect.

--
Alan Curry
TSC Technology Department
pacurry@tsc.k12.in.us
765-269-8321


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Script behaving differently when run by Apache and when run from a shell by user www-data? [ In reply to ]
sa212+apache at cyconix
Jan 24, 2024, 8:24 AM
Post #5 of 5 (269 views)
Permalink
Hi Alan - spot on; thank you. To save having to learn about namespaces
I've just started Apache without 'PrivateTmp' in the service file, and
the script now works as expected (and 'lsns' no longer shows Apache as
having its own mount namespace).

journalctl also now shows that systemd unmounts my device after the
script issues the umount command, which it didn't before.

Disabling PrivateTmp isn't a great solution, but this is a one-off
config, so I can restore it afterwards. If you want to answer the SO
question I'll accept it.

On 24/01/2024 13:47, Curry, Alan wrote:
> On 1/23/2024 3:58 PM, EML wrote:
>
>> What's interesting here is that CGI appears to be doing something more
>> complex than simply forking a process. The script which is the problem
>> has an EUID of 0, so why can't it unmount a filesystem? Have I just
>> messed up (probably?) Or has Apache run me /without/ CAP_SYS_ADMIN? If
> Or is Apache in an isolated namespace, making its mount and unmount
> operations invisible to most other processes?
>
> You can investigate by comparing what /proc/$$/ns/mnt looks like inside
> and outside the problematic script. If this is the case, you might need
> to use nsenter(1) to access the namespace(s) in which you want your
> unmount to take effect.
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal