Description of problem: The fedora:23 docker image does not include find. When installing mod_nss, /var/tmp/rpm-tmp.HefI5l: line 12: /bin/find: No such file or directory /var/tmp/rpm-tmp.HefI5l: line 13: /bin/find: No such file or directory warning: %post(mod_nss-1.0.11-4.fc23.x86_64) scriptlet failed, exit status 127 Non-fatal POSTIN scriptlet failure in rpm package mod_nss Non-fatal POSTIN scriptlet failure in rpm package mod_nss is reported. Checking the scriptlet if [ "$1" -eq 1 ] ; then if [ ! -e /etc/httpd/alias/key3.db ]; then /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1 echo "" echo "mod_nss certificate database generated." echo "" fi # Make sure that the database ownership is setup properly. /bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chgrp apache {} \; /bin/find /etc/httpd/alias -user root -name "*.db" -exec /bin/chmod g+r {} \; fi suggests that plain /bin/chgrp apache /etc/httpd/alias/*.db /bin/chmod g+r /etc/httpd/alias/*.db might achieve comparable result. Yes, that find has -user root there and it would walk directories but on default installation, the directory just contains -rw-r-----. 1 root apache 65536 Dec 4 05:17 cert8.db -rw-------. 1 root root 5872 Dec 4 05:17 install.log -rw-r-----. 1 root apache 16384 Dec 4 05:17 key3.db lrwxrwxrwx. 1 root root 33 Jun 17 17:18 libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so -rw-r-----. 1 root apache 16384 Dec 4 05:17 secmod.db If the goal is to give the correct ownership/permissions to these %ghost'ed files, the above two commands without find should work. Version-Release number of selected component (if applicable): mod_nss-1.0.11-4.fc23.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. docker run -ti fedora:23 dnf install -y mod_nss Actual results: Installing : fedora-logos-httpd-22.0.0-2.fc23.noarch 4/8 Installing : httpd-filesystem-2.4.17-3.fc23.noarch 5/8 Installing : mailcap-2.1.45-1.fc23.noarch 6/8 Installing : httpd-2.4.17-3.fc23.x86_64 7/8 Installing : mod_nss-1.0.11-4.fc23.x86_64 8/8 mod_nss certificate database generated. /var/tmp/rpm-tmp.HefI5l: line 12: /bin/find: No such file or directory /var/tmp/rpm-tmp.HefI5l: line 13: /bin/find: No such file or directory warning: %post(mod_nss-1.0.11-4.fc23.x86_64) scriptlet failed, exit status 127 Non-fatal POSTIN scriptlet failure in rpm package mod_nss Non-fatal POSTIN scriptlet failure in rpm package mod_nss Verifying : mod_nss-1.0.11-4.fc23.x86_64 1/8 Verifying : httpd-2.4.17-3.fc23.x86_64 2/8 Verifying : apr-1.5.2-2.fc23.x86_64 3/8 Verifying : apr-util-1.5.4-2.fc23.x86_64 4/8 Verifying : mailcap-2.1.45-1.fc23.noarch 5/8 Verifying : httpd-filesystem-2.4.17-3.fc23.noarch 6/8 Expected results: Installing : fedora-logos-httpd-22.0.0-2.fc23.noarch 4/8 Installing : httpd-filesystem-2.4.17-3.fc23.noarch 5/8 Installing : mailcap-2.1.45-1.fc23.noarch 6/8 Installing : httpd-2.4.17-3.fc23.x86_64 7/8 Installing : mod_nss-1.0.11-4.fc23.x86_64 8/8 mod_nss certificate database generated. Verifying : mod_nss-1.0.11-4.fc23.x86_64 1/8 Verifying : httpd-2.4.17-3.fc23.x86_64 2/8 Verifying : apr-1.5.2-2.fc23.x86_64 3/8 Verifying : apr-util-1.5.4-2.fc23.x86_64 4/8 Verifying : mailcap-2.1.45-1.fc23.noarch 5/8 Verifying : httpd-filesystem-2.4.17-3.fc23.noarch 6/8 Additional info:
I've been pondering this for a while now. I think the right move is to move the chgrp/chown inside of the test and drop the find as Jan suggests. The problem is if we merely drop the find then if the user has for some good reason changed the Apache user it could hose up permissions of the mod_nss database. People often get permissions wrong on these database when they generate their own using certutil. They typically forget to chown them to apache which causes startup issues. I think that's why I left it outside the test, so if in frustration they re-installed the package things would just fix themselves.
Isn't the better approach then chgrp'ing the directory /etc/httpd/alias, plus chmod g+s on it? That way just dropping things into the directory would set the group right.
That's probably the way I'll have to do it. Either way I'll lose the magical permission fix and this will make new installs less vulnerable.
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
If the find is there to stay, just having the dependencies specified for the post stage should fix the issue.
Sorry about the delay, I'll see about fixing this one way or another.
I have a candidate fix to drop the chown/chgrp altogether for existing installs. How far back do you need this backported? I was thinking just F27/rawhide.
F27/rawhide is just fine. It's not a blocker.
mod_nss-1.0.14-6.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-969d917228
mod_nss-1.0.14-6.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-969d917228
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
mod_nss-1.0.14-6.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.