Software, technology, sysadmin war stories, and more. Feed
Tuesday, July 24, 2012

X11 in the serving path of a CGI program

I love telling stories about strange things that I have worked on over the years. One of them is from my days when we had a whole bunch of people working on web pages for individual schools, a lot of time on our hands, but not a whole lot of money. We made things work with the available free software and our own programming skills.

The situation in this case involved a new design our new webmaster had created. He had a relatively complicated scheme with a top banner and buttons down the side. It was all a bunch of images using tables since that's how things worked back then. I think CSS 1 had barely come out at the time, and CSS 2 was still in the works.

Anyway, the site's design had these buttons down the left hand side for navigation. Since it was all a bunch of images, it's not like now where you can just put real text in a page and it will turn into a nice button type thing. As a result, every one of these images had to be created by hand in that horribly-named graphics program the GIMP.

Well, after doing this for a while, he decided to automate it by using some scripting. There was some kind of scripting mechanism built into the program which already did some of the work, so he just extended it to take a short string and then dump out an image. This worked pretty nicely.

Of course, the problem of having users bug him (or me) for buttons still existed, even though all he had to do was run a script. We talked about this for a bit and decided it was time to see if we could get it to be a self-service web site for our users. It was easy enough to collect a string from them and feed it to the script, but there was a catch. Being an X program, it wanted to see an X server. Our web server was headless and did not have any X sessions running normally. The security implications of having an X server binary running suid root (for raw hardware access to the video card) which was also accessible to anyone who broke into Apache were also pretty bad.

What to do, what to do.

I forget how we found this, but I wound up installing this "virtual frame buffer" X server called Xvfb which doesn't need a real video card. It provides enough of a fake X environment to let programs start up, so we pointed gimp at that instead. That let it come up, run the script, write a file, and shut down without dying. It never actually did anything meaningful with the GUI in script mode, so routing it to a "bit bucket" X session was just fine.

It was pretty strange, but it did work. It didn't stick around forever, so I can't say I had the privilege of leaving it behind for a future admin to find and boggle over. We eventually moved on to a site design which didn't require such buttons, and so it was shut down.

Still, I know that there are still people in the world who are running programs using headless X servers just to render stuff. It's usually code written by people who are long gone, and which won't even compile any more. If they lose the binaries, they have to start from scratch.

If you spot something which installs KDE and Qt packages on machines which never run X (and never have monitors attached, for that matter), it's a good bet you have something like this lurking at your company.

These hacks tend to get around.