1

Last week, I upgraded my Linux file server from Fedora 39 to Fedora 40, and several CGI applications written in Perl stopped working. I first noticed it when Foswiki could not show any pages, because it was unable to open its log file. After unsuccessfully pursuing a theory that the system upgrade had resulted in some incompatibility between (updated) perl libraries and the (same old) Foswiki application, I discovered that an application that I had written myself had the same problem.

I have now reduced it to a very small program, the core of which is just these few lines:

my $file_to_write = "/tmp/writetest.txt";    
unless (open(OUTFILE, ">>", $file_to_write)) {
    print "Failed to open (for append) $file_to_write.<BR>\n";
}
printf "%s %s Write test to $file_to_write\n", ljpDate(), ljpTime();
printf OUTFILE "%s %s Write test\n", ljpDate(), ljpTime();
close OUTFILE;
print "Write completed<BR>\n";

It appears that the open succeeds (I do not get the "Failed .." message), but nothing is written to the file, even though it has mode 666 (-rw-rw-rw-) and it is owned by apache:apache. If the file exists, it is untouched, and if it does not exist, it is not created.

If I run the script from the command line (./writetest.cgi) everything works as expected.

This worked last week before the update. Is there some new sandboxing feature that kills my applications ?

I should add that SElinux is disabled on this system, as confirmed by sestatus.

Improve this question
2
  • Your system may have set up a PrivateTmp. Look at systemctl show -p PrivateTmp httpd (or whatever service is running your cgi) for PrivateTmp=yes, or for a tmp directory in /tmp/systemd-private-*/.
    – meuh
    Commented Nov 15 at 6:52
  • Thank you! This explains why my simplified test failed. After turning off PrivateTmp for httpd, my simplified test works. I was sooo puzzled as to why I failed to write to the one directory that everyone is supposed to be able to write to. I had never heard about this feature before, and I am very grateful for learning about it now!
    – Lars Poulsen
    Commented Nov 15 at 18:49

1 Answer 1

Reset to default
1

The answer was simple, but hard to find.

Fedora uses systemd and systemd has implemented a lot of sandboxing around httpd and other service elements. These are not really new, but it appears that Fedora has just recently turned them on for httpd (Apache).

The result is, that with the current default settings, each instance of httpd gets its own temporary version of /tmp. Any CGI program that writes to /tmp sees it succeed, but the next time you call the same CGI program, that file is not there anymore.

Similarly, the whole file tree under /home is read-only for CGI programs.

In my installation, each application is installed under a pseudo user under /home. For example, the system I wrote to track product serial numbers and the customers they are shipped to, lives under /home/sales/serial. Similarly, the Foswiki service lives under /home/foswiki2.

To solve the problem I used sudo systemctl edit httpd to create an override parameter file for httpd.service, containing

[Service]
PrivateTmp=false
ProtectHome=no

I then issued the commands sudo systemctl reload-daemons and sudo systemctl restart httpd

Now things work like I am used to.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .