X11 for apache user

Question

We are using inkscape to convert SVG images uploaded to our server via a web form. For this inkscape offers a batch mode via the -z option, but this batch mode has a flaw: When inkscape is run by the apache user, it breaks saying

$ inkscape -z -W drawing.svg
X11 connection rejected because of wrong authentication.
The application 'inkscape' lost its connection to the display localhost:11.0;
most likely the X server was shut down or you killed/destroyed
the application.

If you do the same as a normal user you also get errors:

Xlib: connection to "localhost:11.0" refused by server
Xlib: PuTTY X11 proxy: MIT-MAGIC-COOKIE-1 data did not match
(inkscape:24050): Gdk-CRITICAL **: gdk_display_list_devices: assertion `GDK_IS_DISPLAY (display)' failed
301.27942

But at least inkscape gives the correct answer (here the number stating the width of the image).

Does somebody know how to make this also work for the apache user? Does it make sense to authorize apache to use X (if so how)? In any case it doesn't feel like the right solution...

PS: inkscape would have been a nice tag, but I can't create it. — fuenfundachtzig, Oct 25 '10 at 13:11
We want the output file to have a fixed size (in pixels) and this is easier with inkscape. The only option ImageMagick offers seems to be `-density` whereas with inkscape you can directly specify the output size. — fuenfundachtzig, Feb 07 '11 at 17:32

score 1 · Accepted Answer · answered Feb 07 '11 at 14:55

This behavior is a recognized bug, let's hope it's gonna be fixed in the next release: https://bugs.launchpad.net/inkscape/+bug/666272

In the meantime, my google-fu suggests to run vnc-server instead of Xvfb. It can run at the same time as your X server. You can run it as apache user, so apache will have no problems displaying X applications on that buffer.

This connection is only password authenticated, so it doesn't matter what user is connecting with vncviewer. Note however that the VNC protocol isn't necessarily safe, so be sure to use it locally only and configure your firewall appropriately.

Start the vnc server as apache user:

vncserver :2 -geometry 1024x768 - This is to be done only once

In the script run by apache, only run the application; don't start any vncserver or vncviewer: DISPLAY=:2.0 inkscape -z -W drawing.svg

Google found the answer here: http://www.linuxquestions.org/questions/programming-9/can-php-script-execute-x11-applications-811779/

Appealing solution. Adding `-localhost` is probably a good thing to do. — fuenfundachtzig, Feb 07 '11 at 17:59

score 0 · Answer 2 · answered Oct 25 '10 at 13:10

0

I've encountered a similar issue, the fix is easy, just run Xvfb as a daemon and configure the Apache user (in its environment or in the startup script) with DISPLAY and the appropriate xauth.

answered Oct 25 '10 at 13:10

Gaius

1,461
1
12
19

I guess that would work even without Xvfb as the "normal-user example" above shows. Only I am unsure about the implications (concerning security) of configuring / allowing Apache to use X. – fuenfundachtzig Oct 25 '10 at 13:16
The security implications are minimal - the only X that Apache can see in this scenario is Xvfb, which is purely in-memory. To all intents and purposes it's the same as sending X traffic /dev/null. FWIW I have deployed apps like this in investment banks. – Gaius Oct 25 '10 at 13:19
2

Ah, the financial crisis :) – fuenfundachtzig Oct 26 '10 at 10:58
I'm skeptical. Xvfb needs to be setuid root, and inkscape is designed as a desktop app and almost certainly has flaws. I'd say that the risk is small due to obscurity -- there won't be script kiddie attacks against this, but you're probably handing root to any dedicated expert attacker. – mattdm Feb 05 '11 at 15:09
Wait, I take it back. That appears to no longer be true with modern Xvfb. Make sure you're using a modern Xvfb. :) – mattdm Feb 05 '11 at 15:14

X11 for apache user

2 Answers2