Command executed in PHP with Centos7 and Apache isn't able to connect to network?

Question

I'm debugging my PHP app on CentOS7 using Apache. My application is a Web GUI to manage the Torque batch system and I used the qmgr, which is a command line tool provided by Torque to do the management work.

Because only the root user can execute the qmgr and the Apache server cannot be running as root user, I have written a C program as a wrapper for anyone to execute commands as root user.

But the PHP application always give the following output:

 socket_connect_unix failed: 15137
 qmgr: cannot connect to server  (errno=15137) could not connect to trqauthd

This means the PHP app cannot raise a socket connection to connect the Torque server.

Here is some additional information:

1. The command called by the PHP application can be executed correctly in the shell
2. The same PHP app can be executed correctly on a CentOS6 server with Apache
3. SELinux and the firewall are disabled
4. I have tried the two versions (5.1 and 4.10) of Torque, the result is the same
5. Apache and PHP are used with the default RPM's of CentOS7.

I thought there are some new security limits that maybe influence Apache on the CentOS7 server.

Please give me some suggestions, thank you!

Answer 1

This really helped me!

I have been struggling a lot having a php script using exec()-command. For some reason I got permission denied. Having tried vary many things, including running my scripts in shell as the www-data user, but with no success, this was finally the solution to my problem.

BTW, for Ubuntu the apache service config file is located at cat /etc/systemd/system/multi-user.target.wants/apache2.service

Answer 2

I had the exact same problem.

The cause is that newer Apache.httpd versions default to having the systemd property PrivateTmp set to true. This causes the httpd service to see a private /tmp directory that is actually mapped to some other location in the file system, instead of the real /tmp directory. PHP, running in the Apache process, has the same /tmp directory as the Apache service, and so do any processes forked from PHP (e.g. using exec or system etc). So when PHP calls qsub (etc), that too will see the private /tmp directory.

This causes the error you mentioned because qsub internally uses the unix socket /tmp/trqauthd-unix to communicate with trqauthd. But qsub sees the "fake"/private /tmp directory instead of the real one, so it doesn't find the socket.

This explains why the command works when you run it manually in a console--in that case, qsub sees the real /tmp directory, as opposed to the private one it sees when forked from PHP (running the Apache service).

One solution is to simply change the PrivateTmp property in the file httpd.service from true to false. You can find this file under the /etc/systemd directory. The subfolder it is in probably depends on the linux distribution, so use the find command to locate it:

find /etc/systemd -name httpd.service