2

I have an Apache instance with mod_suexec enabled. I'm trying to debug a problem and am starting Apache with strace to try and see what's happening.

However, when I start Apache like this:

# strace -f -o /tmp/apache.strace /etc/init.d/apache2 start

I get this in the error log:

suexec failure: could not open log file
fopen: Permission denied

However, when I start Apache normally, everything works correctly.

I presume that some mechanism in use by mod_suexec is being upset by the use of strace, but I'm unclear as to what exactly is happening. Is there any way of using strace and having mod_suexec work correctly?

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Flup
  • 8,017
  • 2
  • 33
  • 50

1 Answers1

4

strace uses ptrace() to trace system calls.

If a process being traced tries to exec a file with setuid or setgid bits on, the bits will be ignored (and the process will continue to run with the process's existing uid and gid), unless the process is running as root (or has the CAP_SETUID capability).

Your web server is (hopefully!) not running as root, so if you trace it, suexec's setuid bit will be ignored and it will run as the uid of the web server.

To get around this, you could avoid doing any straces until suexec has been launched, then do strace -f -o ... -p pid-of-suexec. To give you time to find suexec's process id, you could add code so it sleeps for a bit or waits for a file to appear, etc.

Mark Plotnick
  • 24,913
  • 2
  • 59
  • 81
  • Gotcha -- thanks! Unfortunately I need to see the very first things the `suexec`d process does... maybe I can put a wrapper around it or something. – Flup Jul 11 '14 at 07:20