Bug 1025799 - Start up will fail if Certificate directory is not available to Apache user
Summary: Start up will fail if Certificate directory is not available to Apache user
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: mod_nss
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Matthew Harmsen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-01 15:43 UTC by Rob Crittenden
Modified: 2016-07-19 10:33 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-19 10:33:08 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Rob Crittenden 2013-11-01 15:43:43 UTC 
Description of problem:

As reported in mod_nss mailing list:

mod_nss has this code in it:

   if (chdir(mc->pCertificateDatabase) != 0) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
            "Unable to change directory to %s", mc->pCertificateDatabase);
        if (mc->nInitCount == 1)
            nss_die();
        else
            return;
    }
   rv = NSS_Initialize(mc->pCertificateDatabase, mc->pDBPrefix, mc->pDBPrefix, "secmod.db", NSS_INIT_READONLY); 

Let's say the database is in /root/secure.

Apache starts as root during the initial face (nInitCount = 1) so this will succeed. Then it drops root and subsequent chdir's will fail with just a log message. It should probably die here too. I think the intention was that the caller would detect that things had failed, but it doesn't and it continues to do NSS calls which of course fail spectacularly.

I think the reason for not calling nss_die() is it just kills that child, which will be re-forked. Rinse and repeat.

I'm not entirely sure why I do the chdir at this point from this code snippet.
Comment 1 Jaroslav Reznik 2015-03-03 15:10:54 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 2 Matthew Harmsen 2016-01-05 22:31:51 UTC 
Per discussion with rcritten, closing as WONT FIX as this issue is somewhat addressed by the following check-in:

* 1e0b460dd697aac3befcfe0721437d3584b8f49d
Comment 3 Rob Crittenden 2016-03-01 16:23:13 UTC 
reopening since the fix isn't actually sufficient. It still loops the child processes forever.

I think we need to actively check if the apache user can read the NSS databases during the first init so that nss_die() will actually stop the server.
Comment 4 Rob Crittenden 2016-03-07 15:42:46 UTC 
Given the certificate database check for cert8.db/key3.db/secmod.db or cert9.db/key4.db depending on the sql: prefix.

Add option NSSSkipPermissionCheck on/off to skip this new behavior

master: 28283de7ce8557b60d475b0e138d19f3d92f0a2a
Comment 5 Mike McCune 2016-03-28 23:05:20 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 6 Fedora End Of Life 2016-07-19 10:33:08 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Note You need to log in before you can comment on or make changes to this bug.