Apache stuff

All comments, suggestions etc. are welcome. Please contact me at wf-hp@gmx.net.

sudo from PHP not working with apache 2.4

Probably due to the abolition of safe_mode calling programs with sudo stopped working. In my case I was calling shell scripts for postfixadmin for creating and deleting domains and mailboxes.
The error I got in apache's error.log was
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted

The interesting thing was that I didn't find anything on google, just some old hits from years ago. Either the problem is only occurring here or nobody is using postfixadmin.

Just to make sure the script was still working (like it has been for years) I made a su - www-data and ran the script - success.
Then to rule out problems with the script in connection with sudo I ran the script from the command line as root with sudo -c vmail SCRIPT - worked as well. So I was sure it was only a problem between apache, php and sudo (confirming what I guessed from the above quoted error in the logs).

So I had to find alternative ways to create and delete domains and mailboxes.
First I tried with setting the suid bit on the shell scripts. This was not successful because - as I found out then - the suid bit is ignored by the shell for shell scripts.
The next idea was to use suPHP - to no avail because it is not available for anything later than apache 2.2.
So finally the only way was to write a wrapper script and setting the suid bit there, so the shell script would actually be run by user vmail (as necessary in my setup, your mileage may vary).

I use one of the four scripts as an example and go through all necessary steps, for the others only the filenames have to be changed.
Wrapper script vi wrapper-postfixadmin-mailbox-postcreation.c
$ vi wrapper-postfixadmin-mailbox-postcreation.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
    system("./postfixadmin-mailbox-postcreation.sh argv[1] argv[2] argv[3]");
    return 0;

$ gcc wrapper-postfixadmin-mailbox-postcreation.c -o wrapper-postfixadmin-mailbox-postcreation

Now you have to set the user ownership of the wrapper file to the user that needs to create the maildir directories according to your mailserver setup, so e-mails can be delivered into that maildir directories. In my case this was user vmail (so before the script was called as sudo -u vmail ... in /etc/postfixadmin/config.inc.php.
The other thing you have to consider is that the user running the webserver (here on Debian www-data) needs execute permissions on the wrapper script. My www-data is in the group vmail, so I run (as root)
# chown vmail.vmail wrapper-postfixadmin-mailbox-postcreation

Then we set the suid bit
chmod 4750 wrapper-postfixadmin-mailbox-postcreation

The last thing is to configure the correct program names in /etc/postfixadmin/config.inc.php

After you have repeated these steps for all four scripts (create/delete domain/mailbox) everything should be working again.

Written 2016-09-13 - last update 2016-10-8