0

I am trying to debug a process which worked fine until about a week ago. I have a script accessible to my webserver which does nothing but write a value into an existing named pipe:

#!/bin/bash

pipe=/tmp/al_webui

echo 5 > $pipe

The script is called using sudo and the webserver may execute it by allowing it in visudo.

This has worked in the past but now nothing appears in the named pipe. If I execute the script manually the writing is successful, if the webserver calls it nothing happens. I do not receive any error message whatsoever. I can see the script being correctly called in my /var/log/auth.log:

Sep  4 12:22:30 luc sudo: www-data : TTY=unknown ; PWD=/srv/www/htdocs/al ; USER=root ; COMMAND=./al_webui_trigger.sh
Sep  4 12:22:30 luc sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Sep  4 12:22:30 luc sudo: pam_unix(sudo:session): session closed for user root

The log lists other script calls which are all successful (although they do not try to write to named pipes).

I have run out of ideas where to look since I get no errors of wrong filepaths or permissions (deliberate introduction of errors in the paths immediately show up the the auth.log and chmod 777 does not change anything). Does someone have an idea how to proceed at this point?

I am running this on Debian Stretch and the errors may have started since I upgraded fom Jessie but I am not sure if this is connected.

Bowdzone
  • 161
  • 8

1 Answers1

0

Turned out the PrivateTmp setting was the culprit, I assume this behaviour has changed during the upgrade. This means the webserver service was automatically associated with its private temp directory and therefore wrote to a different pipe than the one I was reading from. The solution is taken from here:

mkdir /etc/systemd/system/apache2.service.d
echo -e "[Service]\nPrivateTmp=no" > /etc/systemd/system/apache2.service.d/privatetmp.conf
systemctl daemon-reload
systemctl restart apache2
systemctl show apache | grep PrivateTmp

This creates a directory for a dedicated configuration used by the apache process. In the configuration file only one entry is listed which overwrites the value we have to change PrivateTmp and sets it to false. The rest reloads the systemctl daemon, restarts the webserver and checks whether the change was successful.

Please be aware of the security impacts a shared tmp-directory has before you decide if this is a suitable solution for you.

Bowdzone
  • 161
  • 8