ST - Internals - Flow of Control

Here's an overview of the flow of control in ST programs (both command line and CGI).

Source

The software is xhier'd, the original residing in

capo.private:/software/rt-math-1/

with the one C source file in

capo.private:/source/rt-math-1/

st-suid-perl

In general, any setuid programs (including the CGI) are invoked indirectly by

/software/rt-math-1/servers/st-suid-perl{,_beta,_debug}

It's the only ST program that has source (being written in C). And it's the only setuid program. It exists primarily to avoid having to run setuid Perl programs directly (Perl can do that, apparently safely, how it requires an extra module we'd rather not bother with). It uses the name it's invoked by to determine what to run. It's used by making a symbolic link to it with the name of the program to be run.

It's setuid root so that it can assume the groups of the userid that the resulting program is intended to run as (userid "rt", for historical reasons). That allows groups to provide some needed access for "rt". As of 2015 that's cscf-abs and www_cf. Group 'cscf-abs" provides access to the CSCF absences data. ST #100125 reveals why:

Added userids "rt" and "www-data" to a new group "cscf-abs" to provide both access to both ST and the absences data for the gadget that publishes time worked stats.

Group "www_cf" provides access to pages intended for CSCF/MFCF staff only. When ST needs this is lost in time.

After group memberships are set, it switches to userid "rt". Even if root runs any of the ST programs, they will switch to userid "rt" (saying that it did so).

st-mux

/software/rt-math-1/servers/st-suid-perl{,_beta,_debug}

invokes the corresponding

/software/rt-math-1/servers/st-mux{,_beta,_debug}

It runs &st::ui::startup, and based upon the name it was invoked by, knows how to start that particular program. So none of the setuid programs are standalone.

CGI

The invocation of the CGI is different on www.cs and www.math (sigh). The difference is in whether WWW server configuration is employed to find the CGI.

www.cs

The URL to use is

https://cs.uwaterloo.ca/cscf/internal/request{,_beta,_debug}

Those are /bin/sh scripts that invoke the appropriate

/software/rt-math-1/servers/st-suid-perl{,_beta,_debug}

using

/software/mfcf-misc/bin/execshell

to do so.

www.math

The URL to use is

https://www.math.uwaterloo.ca/mfcf/help/request{,_beta,_debug}

Those are defined in the WWW server configuration to map to

/software/rt-math-1/data/cgi-bin/request{,_beta,_debug}

which are symbolic links to the appropriate

/software/rt-math-1/servers/st-suid-perl{,_beta,_debug}