| Summary: | Start up will fail if Certificate directory is not available to Apache user | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Rob Crittenden <rcritten> |
| Component: | mod_nss | Assignee: | Matthew Harmsen <mharmsen> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | mharmsen |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-19 10:33:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22 Per discussion with rcritten, closing as WONT FIX as this issue is somewhat addressed by the following check-in: * 1e0b460dd697aac3befcfe0721437d3584b8f49d reopening since the fix isn't actually sufficient. It still loops the child processes forever. I think we need to actively check if the apache user can read the NSS databases during the first init so that nss_die() will actually stop the server. Given the certificate database check for cert8.db/key3.db/secmod.db or cert9.db/key4.db depending on the sql: prefix. Add option NSSSkipPermissionCheck on/off to skip this new behavior master: 28283de7ce8557b60d475b0e138d19f3d92f0a2a This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: As reported in mod_nss mailing list: mod_nss has this code in it: if (chdir(mc->pCertificateDatabase) != 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Unable to change directory to %s", mc->pCertificateDatabase); if (mc->nInitCount == 1) nss_die(); else return; } rv = NSS_Initialize(mc->pCertificateDatabase, mc->pDBPrefix, mc->pDBPrefix, "secmod.db", NSS_INIT_READONLY); Let's say the database is in /root/secure. Apache starts as root during the initial face (nInitCount = 1) so this will succeed. Then it drops root and subsequent chdir's will fail with just a log message. It should probably die here too. I think the intention was that the caller would detect that things had failed, but it doesn't and it continues to do NSS calls which of course fail spectacularly. I think the reason for not calling nss_die() is it just kills that child, which will be re-forked. Rinse and repeat. I'm not entirely sure why I do the chdir at this point from this code snippet.