Closed leandrocombr closed 3 years ago
I can't reproduce this. Please provide a complete strace
of apache:
strace -o my_strace -v -s 100 -f -p $PID
my_strace
(preferably gzipped)On Tue, Jul 27, 2021 at 10:40 PM leandrocombr @.***> wrote:
I can't reproduce this. Please provide a complete strace of apache:
start apache
find the PID of the main apache process
as root:
strace -o my_strace -v -s 100 -f -p $PID
browse to http://localhost/xx.pl
kill the strace and attach
my_strace
(preferably gzipped)@.*** html]# strace -o my_strace -v -s 100 -f -p $PID strace: option requires an argument -- 'p'
PID=
On Tue, Jul 27, 2021 at 10:40 PM leandrocombr @.> wrote: I can't reproduce this. Please provide a complete strace of apache: 1. start apache 2. find the PID of the main apache process 3. as root:
strace -o my_strace -v -s 100 -f -p $PID
4. browse to http://localhost/xx.pl 5. kill the strace and attachmy_strace
(preferably gzipped) @. html]# strace -o my_strace -v -s 100 -f -p $PID strace: option requires an argument -- 'p' PID=
Follow the file as requested: my_trace
my_trace shows
1347 execve("/var/www/html/xx.pl", ["/var/www/html/xx.pl"], ...) = 0
# CGI program starts executing...
...
1347 stat("/tmp/par-617061636865", {st_mode=S_IFDIR|0700, st_uid=48, st_gid=48, ...}) = 0
# PAR's per-user temp directory exists and has permission 0700 apache:apache
1347 getuid() = 48
# ...and it's running as apache
...
1347 mkdir("/tmp/par-617061636865/cache-12be90475e491aee5ef41af4e17e373b37359d1d", 0700) = -1 EEXIST
# the cache directory for xx.pl already exists (from a previous run)
1347 stat("/tmp/par-617061636865/cache-12be90475e491aee5ef41af4e17e373b37359d1d/xx.pl", {st_mode=S_IFREG|0750st_uid=48, st_gid=48, ...}) = 0
# ...and the already extracted custom perl interpreter has permission 750 apache:apache
1347 execve("/tmp/par-617061636865/cache-12be90475e491aee5ef41af4e17e373b37359d1d/xx.pl", ...) = -1 EACCESS
# strange!
The only possible explanation for EACCESS left is: the executable is on a filesystem mounted with noexec
.
E.g., on my system (Debian) apache is controlled by systemd and apache.service
has PrivateTmp=true
. Check what /tmp
is for the apache process and its offspring with cat /proc/<pid-of-apache-main-process>/mountinfo | grep /tmp
.
Do you have whatsapp or telegram?
my_trace shows
1347 execve("/var/www/html/xx.pl", ["/var/www/html/xx.pl"], ...) = 0 # CGI program starts executing... ... 1347 stat("/tmp/par-617061636865", {st_mode=S_IFDIR|0700, st_uid=48, st_gid=48, ...}) = 0 # PAR's per-user temp directory exists and has permission 0700 apache:apache 1347 getuid() = 48 # ...and it's running as apache ... 1347 mkdir("/tmp/par-617061636865/cache-12be90475e491aee5ef41af4e17e373b37359d1d", 0700) = -1 EEXIST # the cache directory for xx.pl already exists (from a previous run) 1347 stat("/tmp/par-617061636865/cache-12be90475e491aee5ef41af4e17e373b37359d1d/xx.pl", {st_mode=S_IFREG|0750st_uid=48, st_gid=48, ...}) = 0 # ...and the already extracted custom perl interpreter has permission 750 apache:apache 1347 execve("/tmp/par-617061636865/cache-12be90475e491aee5ef41af4e17e373b37359d1d/xx.pl", ...) = -1 EACCESS # strange!
The only possible explanation for EACCESS left is: the executable is on a filesystem mounted with
noexec
.E.g., on my system (Debian) apache is controlled by systemd and
apache.service
hasPrivateTmp=true
. Check what/tmp
is for the apache process and its offspring withcat /proc/<pid-of-apache-main-process>/mountinfo | grep /tmp
.
Do you have whatsapp or telegram?
chmod 0700 /tmp/par-617061636865/
chown apache:apache /tmp/par-617061636865/
I restarted the server with reboot, and the error persists!
[root@localhost tmp]# cat /proc/8689/mountinfo
130 129 253:0 / / rw,relatime shared:109 master:1 - ext4 /dev/mapper/centos-root rw,seclabel,data=ordered
131 130 0:5 / /dev rw,nosuid shared:110 master:2 - devtmpfs devtmpfs rw,seclabel,size=8040600k,nr_inodes=2010150,mode=755
132 131 0:19 / /dev/shm rw,nosuid,nodev shared:111 master:3 - tmpfs tmpfs rw,seclabel
133 131 0:12 / /dev/pts rw,nosuid,noexec,relatime shared:112 master:4 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=000
134 131 0:15 / /dev/mqueue rw,relatime shared:113 master:27 - mqueue mqueue rw,seclabel
135 131 0:38 / /dev/hugepages rw,relatime shared:114 master:28 - hugetlbfs hugetlbfs rw,seclabel
136 130 0:3 / /proc rw,nosuid,nodev,noexec,relatime shared:115 master:5 - proc proc rw
137 136 0:37 / /proc/sys/fs/binfmt_misc rw,relatime shared:116 master:25 - autofs systemd-1 rw,fd=27,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=10153
138 130 0:18 / /sys rw,nosuid,nodev,noexec,relatime shared:117 master:6 - sysfs sysfs rw,seclabel
139 138 0:17 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:118 master:7 - securityfs securityfs rw
140 138 0:21 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:119 master:8 - tmpfs tmpfs ro,seclabel,mode=755
141 140 0:22 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:120 master:9 - cgroup cgroup rw,seclabel,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
142 140 0:25 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:121 master:10 - cgroup cgroup rw,seclabel,memory
143 140 0:26 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:122 master:11 - cgroup cgroup rw,seclabel,cpuacct,cpu
144 140 0:27 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:123 master:12 - cgroup cgroup rw,seclabel,blkio
145 140 0:28 / /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:124 master:13 - cgroup cgroup rw,seclabel,net_prio,net_cls
146 140 0:29 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:125 master:14 - cgroup cgroup rw,seclabel,cpuset
147 140 0:30 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:126 master:15 - cgroup cgroup rw,seclabel,freezer
148 140 0:31 / /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:127 master:16 - cgroup cgroup rw,seclabel,pids
149 140 0:32 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:128 master:17 - cgroup cgroup rw,seclabel,devices
150 140 0:33 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:129 master:18 - cgroup cgroup rw,seclabel,hugetlb
151 140 0:34 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:130 master:19 - cgroup cgroup rw,seclabel,perf_event
152 138 0:23 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:131 master:20 - pstore pstore rw
153 138 0:24 / /sys/firmware/efi/efivars rw,nosuid,nodev,noexec,relatime shared:132 master:21 - efivarfs efivarfs rw
154 138 0:35 / /sys/kernel/config rw,relatime shared:133 master:22 - configfs configfs rw
155 138 0:16 / /sys/fs/selinux rw,relatime shared:134 master:23 - selinuxfs selinuxfs rw
156 138 0:6 / /sys/kernel/debug rw,relatime shared:135 master:26 - debugfs debugfs rw
157 130 0:20 / /run rw,nosuid,nodev shared:136 master:24 - tmpfs tmpfs rw,seclabel,mode=755
158 157 0:39 / /run/user/0 rw,nosuid,nodev,relatime shared:137 master:105 - tmpfs tmpfs rw,seclabel,size=1610548k,mode=700
159 130 8:2 / /boot rw,relatime shared:138 master:29 - xfs /dev/sda2 rw,seclabel,attr2,inode64,noquota
160 159 8:1 / /boot/efi rw,relatime shared:139 master:30 - vfat /dev/sda1 rw,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro
161 130 253:2 / /var rw,relatime shared:140 master:31 - ext4 /dev/mapper/centos-var rw,seclabel,data=ordered
162 130 253:0 /tmp/systemd-private-6167da197e0f43bd80d040489ab8f080-httpd.service-VQFAAB/tmp /tmp rw,relatime shared:142 master:1 - ext4 /dev/mapper/centos-root rw,seclabel,data=ordered
163 161 253:2 /tmp/systemd-private-6167da197e0f43bd80d040489ab8f080-httpd.service-8YUmJB/tmp /var/tmp rw,relatime shared:141 master:31 - ext4 /dev/mapper/centos-var rw,seclabel,data=ordered
165 137 0:40 / /proc/sys/fs/binfmt_misc rw,relatime shared:144 master:143 - binfmt_misc binfmt_misc rw
[root@localhost tmp]# cat /usr/lib/systemd/system/httpd.service
# See httpd.service(8) for more information on using the httpd service.
# Modifying this file in-place is not recommended, because changes
# will be overwritten during package upgrades. To customize the
# behaviour, run "systemctl edit httpd" to create an override unit.
# For example, to pass additional options (such as -D definitions) to
# the httpd binary at startup, create an override unit (as is done by
# systemctl edit) and enter the following:
# [Service]
# Environment=OPTIONS=-DMY_DEFINE
[Unit]
Description=The Apache HTTP Server
Wants=httpd-init.service
After=network.target remote-fs.target nss-lookup.target httpd-init.service
Documentation=man:httpd.service(8)
[Service]
Type=notify
Environment=LANG=C
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
# Send SIGWINCH for graceful stop
KillSignal=SIGWINCH
KillMode=mixed
PrivateTmp=true
[Install]
WantedBy=multi-user.target
chmod 0700 /tmp/par-617061636865/ chown apache:apache /tmp/par-617061636865/
I restarted the server with reboot, and the error persists!
That is the global /tmp and has no effect on private /tmp's created by systemd.
OK, so httpd.service has PrivateTmp=true
and
130 129 253:0 / / rw,relatime shared:109 master:1 - ext4 /dev/mapper/centos-root rw,seclabel,data=ordered
161 130 253:2 / /var rw,relatime shared:140 master:31 - ext4 /dev/mapper/centos-var rw,seclabel,data=ordered
162 130 253:0 /tmp/systemd-private-6167da197e0f43bd80d040489ab8f080-httpd.service-VQFAAB/tmp /tmp rw,relatime shared:142 master:1 - ext4 /dev/mapper/centos-root rw,seclabel,data=ordered
163 161 253:2 /tmp/systemd-private-6167da197e0f43bd80d040489ab8f080-httpd.service-8YUmJB/tmp /var/tmp rw,relatime shared:141 master:31 - ext4 /dev/mapper/centos-var rw,seclabel,data=ordered
shows that the apache service indeed has its own /tmp (and /var/tmp), but they're not mounted noexec
, but with seclabel
...
Is selinux enabled on this machine? Maybe EACCESS is caused by some selinux policy, check your logs. E.g. the selinux refpolicy has this tunable:
## <desc>
## <p>
## Determine whether httpd can execute
## its temporary content.
## </p>
## </desc>
gen_tunable(httpd_tmp_exec, false)
Script runs normally on http://localhost/perl.pl
When I run the script via browser http://localhost/xx.pl
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.