Re: [users@httpd] Script behaving differently when run by Apache and when run from a shell by user www-data?

2024-01-24 Thread EML 
Hi Alan - spot on; thank you. To save having to learn about namespaces 
I've just started Apache without 'PrivateTmp' in the service file, and 
the script now works as expected (and 'lsns' no longer shows Apache as 
having its own mount namespace).


journalctl also now shows that systemd unmounts my device after the 
script issues the umount command, which it didn't before.


Disabling PrivateTmp isn't a great solution, but this is a one-off 
config, so I can restore it afterwards. If you want to answer the SO 
question I'll accept it.


On 24/01/2024 13:47, Curry, Alan wrote:

On 1/23/2024 3:58 PM, EML wrote:


What's interesting here is that CGI appears to be doing something more
complex than simply forking a process. The script which is the problem
has an EUID of 0, so why can't it unmount a filesystem? Have I just
messed up (probably?) Or has Apache run me /without/ CAP_SYS_ADMIN? If

Or is Apache in an isolated namespace, making its mount and unmount
operations invisible to most other processes?

You can investigate by comparing what /proc/$$/ns/mnt looks like inside
and outside the problematic script. If this is the case, you might need
to use nsenter(1) to access the namespace(s) in which you want your
unmount to take effect.

Re: [users@httpd] Script behaving differently when run by Apache and when run from a shell by user www-data?

2024-01-24 Thread Curry, Alan 
On 1/23/2024 3:58 PM, EML wrote:

> What's interesting here is that CGI appears to be doing something more
> complex than simply forking a process. The script which is the problem
> has an EUID of 0, so why can't it unmount a filesystem? Have I just
> messed up (probably?) Or has Apache run me /without/ CAP_SYS_ADMIN? If

Or is Apache in an isolated namespace, making its mount and unmount
operations invisible to most other processes?

You can investigate by comparing what /proc/$$/ns/mnt looks like inside
and outside the problematic script. If this is the case, you might need
to use nsenter(1) to access the namespace(s) in which you want your
unmount to take effect.

-- 
Alan Curry
TSC Technology Department
pacu...@tsc.k12.in.us
765-269-8321


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Script behaving differently when run by Apache and when run from a shell by user www-data?

2024-01-23 Thread EML 




IMO suexec would be better suited to handle more sensitive operations 
such as unmounting.


CGI is not an interactive shell, as you discovered.

Calling a separate script with the suid bit might work too.


But I don't need an interactive shell: I need a way to run a script as 
user www-data, which is what CGI is for. I tested the script in an 
interactive shell because that's the easy way to run a script as user 
www-data.


What's interesting here is that CGI appears to be doing something more 
complex than simply forking a process. The script which is the problem 
has an EUID of 0, so why can't it unmount a filesystem? Have I just 
messed up (probably?) Or has Apache run me /without/ CAP_SYS_ADMIN? If 
so, how and why? Maybe this is unlikely, but if it happens, it should be 
documented. If this, or something similar, doesn't happen, then I know 
that the problem is my fault.

Re: [users@httpd] Script behaving differently when run by Apache and when run from a shell by user www-data?

2024-01-23 Thread Frank Gingras 
On Tue, Jan 23, 2024 at 2:12 PM EML  wrote:

>
> Let's take a step back - why are you unmounting from a cgi script?
>
> It's a one-time setup when a user configures a new system. Most of these
> users aren't shell-literate, so they configure by ticking boxes on a web
> page. The system is a VPS, so is actually a VM, which I hope isn't relevant.
>
> Anyway, when configuration completes, all the scripts are deleted and
> Apache runs 'normally'.
>

IMO suexec would be better suited to handle more sensitive operations such
as unmounting.

CGI is not an interactive shell, as you discovered.

Calling a separate script with the suid bit might work too.

Re: [users@httpd] Script behaving differently when run by Apache and when run from a shell by user www-data?

2024-01-23 Thread Frank Gingras 
On Tue, Jan 23, 2024 at 2:02 PM EML  wrote:

> The CGI Howto page contains some basic information on how Apache actually
> runs a program, but is there any more detailed information anywhere?
>
> Specifically, I have a problem where a bash script runs as expected when
> run from an interactive shell by user www-data (this is Ubuntu). However,
> the script behaves differently when run via Apache from a web client. This
> is nothing to do with PATH or envvar differences: when run by Apache, an
> operation to unmount a disk appears to succeed, but actually doesn't
> unmount the disk. When run from the interactive shell, as the same user,
> the operation unmounts the disk.
>
> This is a basic Apache install on Ubuntu 22.04 - no suexec, no chroot,
> plain CGI, etc. I've been running scripts via Apache this way for years,
> but this is the first script which attempts to carry out disk operations.
> All these scripts appear in the sudoers file to allow Apache to carry out
> specific privileged operations.
>
> I asked this question 
> today on StackExchange (https://unix.stackexchange.com/q/767587/212513,
> if the link is scrubbed), with much more detail, but I think that was
> probably the wrong place to ask.
>
>  Thanks.
>

Let's take a step back - why are you unmounting from a cgi script?