Why am I getting a SegFault when I call pdftk from PHP/Apache but not PHP/CLI or directly

Question

When I call /usr/local/bin/pdftk from PHP in Apache (via shell_exec(), exec(), system(), etc.), it returns the SYNOPSIS message as expected.

When I call /usr/local/bin/pdftk input.pdf fill_form input.fdf output output.pdf flatten via shell_exec(), nothing returns.

When I copy and paste the exact same string to the same path in the shell (as the apache user), the output.pdf file is generated as expected.

Moving the pdftk command into a PHP shell script (shebang is #!/usr/bin/php) and executing it with php script.php works perfectly.

Calling that shell script (with its stderr redirected to stdout) from PHP in Apache (via shell_exec(script.php);) results in this line:

sh: line 1: 32547 Segmentation fault      /usr/local/bin/pdftk input.pdf fill_form input.fdf output output.pdf flatten 2>&1

Whenever I run the script from the command line (via PHP or directly), it works fine. Whenever I run the script through PHP via Apache, it either fails without any notification or gives the SegFault listed above.

It's PHP 4.3.9 on RHEL4. Please don't shoot me. I've set memory to 512M with ini_set() and made sure that the apache user had read/write to all paths (with fopen()) and by logging in as apache ...

Just went and checked /var/log/messages to find this:

Oct  4 21:17:58 discovery kernel: audit(1286241478.692:1764638):  
    avc:  denied  { read } for  pid=32627 comm="pdftk" name="zero"
    dev=tmpfs ino=2161 scontext=root:system_r:httpd_sys_script_t
    tcontext=system_u:object_r:zero_device_t tclass=chr_file

NOTE: Disabling SELinux "fixed" the problem. Has this moved into a ServerFault question? Can anybody give me the 30 second SELinux access controls primer here?

Answer 1

php-cli & php-cgi (or the module, depends on what your server uses) are different binaries. They don't even have to share the same version to live happily side by side on your server. They also may not share the same configuration. Increasing memory usually does nothing to help Segfaults. Points to check:

1. Are they the same version?
2. Do they have the same settings (consult the *.ini locations loaded in the phpinfo(); output, and possibly the whole output itself), if not: try what happens if you alter the one for your webserver to the one for the cli as far as possible.
3. Segfaults occur more in extensions then in the core afaik, and sometimes seemingly unrelated. Try to disable unneeded extensions one by one to see if the problem goes away.
4. Still no success? You may want to run apache with gdb, but I have no experience with that, it might tell you something though.
5. No luck? Recompile either the module of cgi your webserver uses.

It's PHP 4.3.9 on RHEL4. Please don't shoot me.

I feel more sad for you then anger, we're beyond the 5.3 mark, come over, it's a lot more happy here.