Getting Around Apache's Crippled Privileges

Discussion in 'Computing and Networks' started by Brownout, Feb 15, 2015.

  1. Brownout

    Thread Starter Well-Known Member

    Jan 10, 2012
    As a feature of my home surveillance and security system, I'm implementing some simple home control using Linux-Apache-CGI, a USB to GPIO device from FTDI and FTDI's custom drivers. I've written a simple CGI script and web form to turn on and off a few fixtures. Basically, the user enters the number corresponding to the fixture he wants to turn on or off and submits the request using the POST method. The CGI script then calls the device drivers the pass the request to the GPIO device. The form/script work fine. The problem arises when I attempt to open my device drivers; the Apache server does not have sufficient privileges to perform the task. I know this is the issue after about 10 hours of writing code and running experiments. For example, I can run the same script to exercise the GPIO device directly, with my own user privileges with not issue at all. But by running the same script from Apache, everything works with the exception of opening and writing to the device.

    I've read about many options that give Apache permission to complete the task, however they are all unsecure. For example, the script can set UID to root and work, but that opens up my server to malicious attacks. This is not an option at this time, because my Linux knowledge isn't at a level that allows me to do this safely. But I can think of another option that might work. I can start a program that runs with the required privileges which polls a file to test for an access from the script, and when it senses an access, it goes ahead and opens and writes to the device. Keeping in mind that there is no critical timing requirements, the program can simply wait on the file in case of a contention (of which is guaranteed) I don't think a full-up IPC (Inter Process Communication) program is needed, and not sure if it would even work.

    Has anyone every tried such a scheme before? I mean, polling a file and such.
  2. tom_s


    Jun 27, 2014
    sorry, some of this has gone way over my head but thought that came to mind, setup a cron job to do the polling?
    cron can be user or root specific
  3. Brownout

    Thread Starter Well-Known Member

    Jan 10, 2012
    Believe it or not, I have this working now. The following is a code excerpt that examines a file to see if the server has accessed it. If the program senses an access, then it acts on the data written to the file. Basically, it's a poor man's IPC program. To avoid contention with the server, the program first attempts to open the file, and if the file isn't available, then the program waits 1/2 second before trying again. Once it gains access to the file, it waits 5 seconds before attempting another access. The statement "perform_i_o()" is pseudo code for accessing the FTDI device.

    Code (Text):
    1.     //open log file
    2.     log_num = -1;
    3.     filetry = 0;
    4.     while(log_num < 0) {
    5.       while((logfile = fopen("/var/www/cgi-bin/control_log", "r"))
    6.         == NULL) {
    7.         usleep(500000);
    8.         if(filetry >= 1200) {
    9.           printf("Not able to open file after 5 minutes\n");
    10.           return -1;
    11.         }
    12.         filetry ++;
    13.       }
    15.       if((fscanf(logfile, "%d", &rd_log_num)) == EOF)
    16.         log_num = -1;
    17.       else
    18.         log_num = rd_log_num;
    19.       sleep(5);
    20.       fclose(logfile);
    21.     }
    23.    perform_i_0(log_num);
  4. Robartes


    Oct 1, 2014
    When you say 'opening and writing to the device', do you mean an actual device file? Assuming you do, you should be able to change the filesystem access rights to that file to include the user/group apache is running as.