I noticed that /proc entries are owned by the user who started the process. However I can't start the apache parent process by root, since it binds to port 80, so it has to be started by root in all cases. Anyway, apache itself somehow changes its owned from root to 'apache' used and forks all child processes as 'apache' user. If I start apache using root user, its process ID is for example 1234, and the directory /proc/1234 is owned by root. All childs of process 1234 have their directories in /proc as well, for example /proc/1235, those are all owned by apache, not root. All of this is expected functionality. But even if the directory /proc/1235 is owned by use apache, its own subdirectory /proc/1235/fd is owned by root. I have no explanation why that happens, I am expecting different behavior here. /proc/1234 <- parent ID, owned by root /proc/1235 <- child of 1234, owned by apache /proc/1235/fd <- owned by root, not accessible even by the proces 1235 itself ! Perhaps the way how apache changes its owner from root to 'apache' for all the child processes is somehow incorrect. Anyway, my question remains for somebody who understands /proc source code: where should I look in order to change permissions of 'fd' directory or owner of 'fd' directory to something reasonable, so apache (or even EVERYBODY) can access it? I am willing to patch the kernel for this, since there is just the webserver on the machine and I don't really really care if 'untrusted' user can see open files of other users. Thank you Tomas M On 25.6.2011 23:01, Sean Ryle wrote: > Hi Tomas. > > As far as I understand, the /proc file entry ownership is inherited from the parent who forked the process. Therefore, if apache was started by root, the /prod entries for the child processes will be owned by root. One way around this would be to be sure the apache user is the one forking the startup of apache. You could confirm this by stopping apache, su to the apache user and start apache. Then look at the entries in /proc I believe they will then be owned by Apache (it works this way on my machine, and as best I know all Linux machines I have ever had the need to review the /proc fs on). > > Curiously, what are you trying to accomplish with this php script? There might be easier, or at least, other, ways to do this without patching your kernel (which seems a drastic step for something like this if you ask me. > > 2011/6/25 Tomas M <tomas@xxxxxxxx <mailto:tomas@xxxxxxxx>> > > I'm trying to list all opened fd (file descriptors) through /proc by apache, using the following method: > > - in apache process (php script), traverse /proc entries for all processes owned by 'apache' user > - find out all 'fd' directories and list all symlinks inthere > - use that data to find out all files opened by apache > > My problem is that I can't do that as the apache user, the directory /proc/1234/fd/ is owned by root even if the process 1234 is apache (and runs under 'apache' user and 'apache' group). > > Is this a bug in /proc filesystem? Or is there a functionality in kernel made for apache so it is able to somehow modify 'fd' directory in proc to not be owned by apache but by root instead? > > I am willing to patch kernel sources in /fs/proc/* in order to get a better behavior, would anybody please suggest what function in kernel's proc sources to modify in order to either force apache owner for the 'fd' directory or to make it 'executable by all' so I could list the links inthere even without the need to be root? > > Thank you very much > > Tomas M > > -- > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx <mailto:majordomo@xxxxxxxxxxxxxxx> > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
