Trouble using a snap application from a web page via Apache


#1

I need to collect the output from a snap application (“pdftk”) for use on a web page accessed via the Apache web server on Fedora Linux. The first problem is that the snap always executes as user “apache”. I created a C language wrapper executable with the setuid bit set which executes /var/lib/snapd/snap/bin/pdftk via the “system” system call. The wrapper works from the shell, but when invoked via a PHP script from the Apache server, the wrapper executes as expected with the correct effective UID, but snap still complains about not being able to create the user data directory in the apache user’s home directory (/usr/share/httpd/snap/pdftk/9) rather than the home directory of the wrapper’s owner (me). I tried setting the HOME environment variable explicitly to my home directory before invoking pdftk, but snap still uses the apache user home directory, so it is evidently still executing as user apache rather than the effective UID of the wrapper.

Then I tried creating a “snap” directory in the apache user home directory (/usr/share/httpd) and the pdftk and pdftk/9 directories get created as expected. However, snap then complained:

cmd_run.go:884: WARNING: cannot create user data directory: failed to verify SELinux context of /usr/share/httpd/snap: exec: “matchpathcon”: executable file not found in $PATH
cannot create user data directory: /usr/share/httpd/snap/pdftk/9: Read-only file system

So I added /usr/sbin to the PATH environment variable for “matchpathcon” and this cmd_run.go error goes away, but I’m still left with "cannot create user data directory: /usr/share/httpd/snap/pdftk/9: This is a bit misleading because the snap/pdftk directory and snap/pdftk/9 directories have actually been created with (and writable by) user apache, so the /usr/share/httpd/snap directory is not read-only to apache.

I stumbled onto snap when I found pdtfk to do the PDF file manipulation I need, so I’m a newbie. I haven’t found any native pdftk installer available for the current release of Fedora, so I seem to be stuck trying to work around these snap problems.

So the questions I have are 1) why is the setuid wrapper not enabling pdftk to run as me rather than user apache; 2) why is snap complaining about a read only directory that it has already written to create the sub-directories; 3) is there a way to generate any debugging output when running a snap application?

I have looked at a similar report with Ubuntu and a different snap, but the workaround was to disable SELinux rather than simply add /usr/sbin to the PATH so that the matchpathcon program can be found. While that resolves the SELinux error message, it doesn’t address the read-only directory problem.

Thanks in advance for any insights or guidance on where to look next.