Quote:
Originally Posted by otie
I'm assuming that one major key is that there be no input or output in the final exec.
It also seems that the final process has to belong to a user different from the one who owns the socket.
|
When a process -- in your case, the PHP script -- creates another process, they will belong to the same
process group (aka
session) by default. Each process group has a
leader process, which also identifies the group. (The process group ID is the process ID of the leader.)
Signals can be sent to either individual processes, or entire process groups. For example, if you run programs in a terminal, and close the terminal, the terminal kills the entire process group. (That's why the programs are killed when you close the terminal.)
This is intentional, and very useful.
A process can detach itself from any group simply by starting a new one. If it calls
setsid it will become the leader of a new group, unless it is already a leader. To make sure, programs
fork first, and shell scripts do it in a
subshell in the background; these are equivalent, and allow the original process to exit immediately.
There are also a few signals that are transferred through the
virtual terminal (aka
tty); for example,
STOP and
CONT which are used to pause and continue a process.
Redirecting standard input, output and error to /dev/null just makes sure the process is not connected to any virtual terminal.
If a process does all three of the above (fork/subshell, new session, close input/output/error), it will detach from its parent process fully, and keep running independently of the parent. This is how a process becomes a
daemon.
If you only do the above partially, many different kinds of side effects may happen, depending on the situation details. In some cases they are very useful, often they just cause unwanted problems (like yours).
The reason for having the recording processes run as some other user than the www server is robustness and security. If they run as the same user, the www server is completely free to do anything to the recording processes -- it can, for example, send signals via
posix_kill() in PHP; for example to kill any recording process. Having the recording processes run as a different user makes it easy to limit the actions the www server is allowed to do, and also makes it much more unlikely any programming bugs in the www pages cause harm to the recording processes. For example, sending signals no longer works. As you saw, with sudo the needed access grant is just a single line in the /etc/sudoers file, so it's not that much of added complexity.
(It is also possible to use a control program with
setuid or
setgid flag set for the file, so that it will be automatically granted the new user account by the kernel, but these kinds of programs are very easy to exploit, unless written extremely defensively. And for scripts, the bits do not really work, not reliably at least. I recommend the sudo approach, since it also allows logging each access and transition securely.)
I tried to look for a good resource in both the Unix philosophy for you to check out -- specifically, how to design tools and daemons that do one thing well, then build robust systems on top of those; and on service (daemon) programming --, but there's so much on the web it'd take hours to check which ones are really good. However, there is an old article in the LinuxJournal:
Linux Network Programming, part 2 which is oriented towards writing network service daemons, but has a very good overview and some useful background. And it's not very long.
Hope this helps,
Nominal Animal