I have posted the question here as well
Objective: I want to trigger a webhook on a private linux-machine (its a local system not connected to internet), which can delete the spool data generated by CUPS server in /var/tmp folder.
To achieve this
Approach1 I 1st checked the default CUPS configuration files and edited the files there. Lines like in /etc/cups/cupsd.conf
PreserveJobFiles No
and in /etc/cups/cups-files.conf
RequestRoot /var/tmp
I thought changing the PreserveJob to no will automatically delete the cups spool files once the printing is finished.
Well, Approach-1 didn't worked so I tried approach-2
Approach2: I have a Ubuntu 22.04 machine with Apache and PHP installed. I have set up a new virtual host, "example.io," with the DocumentRoot set to /var/www/example.io/
Within this directory, I have an index.php file that successfully serves content to the web browser.
From this index.php file, I am calling a bash-script located in my home directory. The bash script contains the following commands:
#!/bin/bash
echo "Hello, I am above the ls command"
ls /var/tmp/
echo "Hello, I am below the ls command"
touch example.txt
rm -rf /var/tmp/cn*
echo "I am below the touch command"
The bash script is being executed, and I can see the output on the web browser for the echo statements. However, I am unable to list the contents of the /var/tmp folder or create a file within it.
Here are the changes I have tried, but none have resolved the issue:
I have tried using both relative and absolute paths for ls & touch in the bash-script.
I added the "www-data" user to the sudoers file under the "%sudo" line.
www-data ALL=(ALL) NOPASSWD: /home/example/script.sh
www-data ALL=(ALL) NOPASSWD: /var/tmp
- I changed the permissions of the bash script to be owned by the "www-data" user.
drwxrwxrwx 5 www-data www-data 6 Jun 6 08:39 script.sh
- I changed the permissions of the /var/tmp folder to be accessible by the "www-data" user.
drwxrwxrwt 5 www-data www-data 6 Jun 6 08:39 tmp
- I removed the sticky bit from the /var/tmp folder and set its permissions to 777.
drwxrwxrwx 5 www-data www-data 6 Jun 6 08:39 tmp
I granted full permissions to the bash script and its parent directory.
When I check from the command line, I am able to list and create files in /var/tmp using www-data user like
root@cups-lxc-at-ct:~/instantpost# sudo -u www-data touch /var/tmp/cnijb
root@cups-lxc-at-ct:~/instantpost# sudo -u www-data ls /var/tmp
cnijb
systemd-private-329d46999f134f4a9470ce054ae837e9-apache2.service-iHoe2E
systemd-private-329d46999f134f4a9470ce054ae837e9-systemd-logind.service-lGcUhs
systemd-private-329d46999f134f4a9470ce054ae837e9-systemd-resolved.service-Rqvc7r
The ACL on /var/tmp is
root@cups-lxc-at-ct:~/instantpost# getfacl /var/tmp
getfacl: Removing leading '/' from absolute path names
# file: var/tmp
# owner: root
# group: root
# flags: --t
user::rwx
group::rwx
other::rwx
I checked the AppArmor:
sudo apparmor_status
I got this output
root@cups-machine:~# sudo apparmor_status
apparmor module is loaded.
11 profiles are loaded.
11 profiles are in enforce mode.
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/{,usr/}sbin/dhclient
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
tcpdump
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
=> Interestingly, I have tested the same method with a different folder eg: /usr, /usr/example, /tmp/example, /home/example, etc..., and it worked successfully.
I am struggling to understand why I am encountering this issue specifically with the default /var/tmp folder. Any insights or suggestions would be greatly appreciated.
