Bug 1312583

Summary: mod_nss segmentation fault when NSSCertificateDatabase does not have proper permissions
Product: Red Hat Enterprise Linux 7 Reporter: Robert Bost <rbost>
Component: mod_nssAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: lmiksik, mharmsen, nkinder, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mod_nss-1.0.14-7.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 21:20:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Bost 2016-02-27 15:40:10 UTC 
Description of problem: If NSSCertificateDatabase directory is not readable by httpd user a segmentation fault occurs during startup. Segmentation faults repeat until httpd is manually stopped. 


Version-Release number of selected component (if applicable): mod_nss-1.0.11-6.el7.x86_64


How reproducible: Always


Steps to Reproduce:
1. chmod 0700 /etc/httpd/alias 

Actual results: 
[Sat Feb 27 10:34:08.466140 2016] [:error] [pid 3035] Unable to change directory to /etc/httpd/alias
[Sat Feb 27 10:34:09.467917 2016] [core:notice] [pid 2968] AH00052: child pid 3035 exit signal Segmentation fault (11)
[Sat Feb 27 10:34:09.468935 2016] [:error] [pid 3037] Unable to change directory to /etc/httpd/alias
[Sat Feb 27 10:34:09.470572 2016] [:error] [pid 3038] Unable to change directory to /etc/httpd/alias
[Sat Feb 27 10:34:10.471622 2016] [core:notice] [pid 2968] AH00052: child pid 3037 exit signal Segmentation fault (11)
[Sat Feb 27 10:34:10.471667 2016] [core:notice] [pid 2968] AH00052: child pid 3038 exit signal Segmentation fault (11)


Expected results: Clean exit with no segmentation fault. I would expect if mod_nss cannot read the NSS DB directory that it would prevent httpd from starting up and state the permissions error.


Additional info:
If NSS DB directory (/etc/httpd/alias) has execute permission but the NSS DB files are not readable there's a different set of errors; see below. If this would need a new bug, let me know and I'll be happy to open it.

[Sat Feb 27 10:37:45.012814 2016] [:error] [pid 3737] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
[Sat Feb 27 10:37:45.012844 2016] [:error] [pid 3737] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
[Sat Feb 27 10:37:45.901118 2016] [core:notice] [pid 3586] AH00052: child pid 3737 exit signal Segmentation fault (11)
Comment 2 Matthew Harmsen 2016-02-29 18:11:04 UTC 
My suggestion for this bug is to document changing owner/group ownership and permissions in /usr/share/doc/mod_nss-<version>/mod_nss.html whenever a 'certutil -d . -N' is executed.
Comment 3 Rob Crittenden 2016-03-01 16:23:49 UTC 
That or we can proactively check for user/group read permissions of the apache user.
Comment 5 Scott Poore 2016-09-21 00:17:52 UTC 
What changed here?

I still see segfaults:


[Tue Sep 20 19:07:27.334049 2016] [:error] [pid 12894] Unable to change directory to /etc/httpd/alias
[Tue Sep 20 19:07:27.334068 2016] [:error] [pid 12894] Does the directory exist and do the permissions allow access?
[Tue Sep 20 19:07:28.319846 2016] [core:notice] [pid 12793] AH00052: child pid 12891 exit signal Segmentation fault (11)
[Tue Sep 20 19:07:28.319876 2016] [core:notice] [pid 12793] AH00052: child pid 12892 exit signal Segmentation fault (11)

And I am not finding anything in documentation.

Am I missing something?
Comment 6 Scott Poore 2016-09-21 14:52:45 UTC 
moving bug back to assigned while it is being worked on.
Comment 7 Rob Crittenden 2016-09-21 17:54:54 UTC 
The problem was that the files within the certificate database directory were being checked for read access but not the directory itself.
Comment 8 Rob Crittenden 2016-09-21 18:06:08 UTC 
Have a patch in hand to address not checking the NSS database directory permissions.
Comment 12 Scott Poore 2016-09-22 15:14:19 UTC 
Verified.

Version ::

mod_nss-1.0.14-7.el7.x86_64

Results ::

[root@vm4 yum.local.d]# chmod 0700 /etc/httpd/alias/

[root@vm4 yum.local.d]# systemctl start httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.


/var/log/httpd/error_log

[Thu Sep 22 10:13:14.087491 2016] [core:notice] [pid 3655] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Sep 22 10:13:14.088060 2016] [suexec:notice] [pid 3655] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Sep 22 10:13:14.088080 2016] [:warn] [pid 3655] NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Sep 22 10:13:14.088090 2016] [:debug] [pid 3655] nss_engine_init.c(454): SNI: vm4.example.com -> vm4.example.com - RedHat
[Thu Sep 22 10:13:14.089493 2016] [:error] [pid 3655] Server user apache lacks read access to NSS database directory /etc/httpd/alias.
Comment 14 errata-xmlrpc 2016-11-03 21:20:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2602.html