2

I'm trying to profile a fcgi application (C++) that runs within apache with mod_fascgi with perftools. SO is Centos 6 x86_64.

The problem is the following. According to gperftools documentation

"For security reasons, CPU profiling will not write to a file -- and is thus not usable -- for setuid programs."

Apache must be launched as root, and then uses setuid to use apache as user, thus using setuid. Then gperftools won't write to the file. And running Apache as root is also disabled.

Any solution?

So far I thought about 3 solutions:

  • Create a test within the application to simulate some requests and mock FCGI classes.
  • Recompile Apache with flag -DBIG_SECURITY_HOLE to allow to run apache as root.
  • Recomplie gperftools removing the check of suid.
pakore
  • 11,395
  • 12
  • 43
  • 62

2 Answers2

1

I recompiled gperftools and removed the check of suid.

The only thing to keep in mind is that for the log to be written you can't kill the process. And doing ´service httpd stop´ will kill the process (so it won't flush the log).

You have to either send a signal (read gperftools documentation) or add the ProfileStart() and ProfileStop() calls within your main.

pakore
  • 11,395
  • 12
  • 43
  • 62
0

You could always listen on a high port and start/stay as a non-root user, which is much less intrusive then your other three options.

Another option is to start your fcgi statically under the profiler and have httpd connect to it (unix socket or TCP), IOW not doing process management for the FCGI in Apache and forking off from the process manager.

However it is surprising to me that "calls setuid()" is treated the same as the binary having the setuid bit. Are you sure gperftools really blocks the former and is not just being otherwise mis-used? Woudln't it be writing a partial logfile?

covener
  • 17,402
  • 2
  • 31
  • 45