Bug 1288757 - apache group not created if USERGROUPS_ENAB is 'no'
apache group not created if USERGROUPS_ENAB is 'no'
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: httpd (Show other bugs)
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Web Stack Team
Martin Frodl
Depends On:
Blocks: 1480452
  Show dependency treegraph
Reported: 2015-12-05 16:07 EST by Martin Stefany
Modified: 2017-08-31 20:54 EDT (History)
8 users (show)

See Also:
Fixed In Version: httpd-2.4.6-41
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1480452 (view as bug list)
Last Closed: 2016-11-04 04:09:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed update to httpd.spec (371 bytes, patch)
2015-12-05 16:07 EST, Martin Stefany
no flags Details | Diff

  None (edit)
Description Martin Stefany 2015-12-05 16:07:22 EST
Created attachment 1102600 [details]
proposed update to httpd.spec

Description of problem:
When installing httpd on any RHEL6.x, RHEL7.x or Fedora product, and USERGROUPS_ENAB is set to 'no', group apache is not created properly, throwing warnings during installation of package and causing later problems with daemon and apps. 

Version-Release number of selected component (if applicable):
httpd-2.4.17-3.fc23.x86_64, or
httpd-2.4.6-31.el7.x86_64, or any before (afaik)

How reproducible:

Steps to Reproduce:
1. sed -i -e 's/USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
2. dnf install httpd
Last metadata expiration check performed 0:00:37 ago on Sat Dec  5 21:47:44 2015.
Dependencies resolved.
 Package                                                        Arch                                                 Version                                                     Repository                                             Size
 httpd                                                          x86_64                                               2.4.17-3.fc23                                               updates                                               1.3 M
 httpd-filesystem                                               noarch                                               2.4.17-3.fc23                                               updates                                                25 k
 httpd-tools                                                    x86_64                                               2.4.17-3.fc23                                               updates                                                88 k

Transaction Summary
Install  3 Packages

Total download size: 1.4 M
Installed size: 6.1 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): httpd-filesystem-2.4.17-3.fc23.noarch.rpm                                                                                                                                                             273 kB/s |  25 kB     00:00    
(2/3): httpd-tools-2.4.17-3.fc23.x86_64.rpm                                                                                                                                                                  467 kB/s |  88 kB     00:00    
(3/3): httpd-2.4.17-3.fc23.x86_64.rpm                                                                                                                                                                        1.1 MB/s | 1.3 MB     00:01    
Total                                                                                                                                                                                                        724 kB/s | 1.4 MB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : httpd-tools-2.4.17-3.fc23.x86_64                                                                                                                                                                                         1/3 
  Installing  : httpd-filesystem-2.4.17-3.fc23.noarch                                                                                                                                                                                    2/3 
  Installing  : httpd-2.4.17-3.fc23.x86_64                                                                                                                                                                                               3/3 
warning: group apache does not exist - using root
warning: group apache does not exist - using root
warning: group apache does not exist - using root
warning: group apache does not exist - using root
warning: group apache does not exist - using root
warning: group apache does not exist - using root
  Verifying   : httpd-2.4.17-3.fc23.x86_64                                                                                                                                                                                               1/3 
  Verifying   : httpd-filesystem-2.4.17-3.fc23.noarch                                                                                                                                                                                    2/3 
  Verifying   : httpd-tools-2.4.17-3.fc23.x86_64                                                                                                                                                                                         3/3 

  httpd.x86_64 2.4.17-3.fc23                                               httpd-filesystem.noarch 2.4.17-3.fc23                                               httpd-tools.x86_64 2.4.17-3.fc23                                              


Actual results:
$ id apache
uid=48(apache) gid=100(users) groups=100(users)

Expected results:
$ id apache
uid=48(apache) gid=48(apache) groups=48(apache)

Additional info:
I'm aware that setting USERGROUPS_ENAB to 'no' is a bit non-standard, but... I've reviewed .spec file in httpd source package and replacing:
# Add the "apache" user
/usr/sbin/useradd -c "Apache" -u 48 \
	-s /sbin/nologin -r -d %{contentdir} apache 2> /dev/null || :

# Add the "apache" user
/usr/sbin/useradd -c "Apache" -u 48 -U \
	-s /sbin/nologin -r -d %{contentdir} apache 2> /dev/null || :

as hinted by 'man useradd' should fix this easily.
Comment 1 Joe Orton 2015-12-18 06:39:56 EST
Thanks for the report.  If this issue is critical or in any way time sensitive,
please raise a ticket through your regular Red Hat support channels to make
certain it receives the proper attention and prioritization to assure a timely
Comment 7 deadrat 2016-09-26 10:15:57 EDT
It happens in RHEL 6.7 too.. 

Comment 8 Martin Frodl 2016-09-26 11:12:19 EDT
(In reply to deadrat from comment #7)
> It happens in RHEL 6.7 too.. 
> https://paste.fedoraproject.org/436041/raw/

This seems to be a different problem. Judging from the yum output,

>   Installing : apr-1.3.9-5.el6_2.x86_64                                    1/5 
>   Installing : apr-util-1.3.9-3.el6_0.1.x86_64                             2/5 
>   Installing : apr-util-ldap-1.3.9-3.el6_0.1.x86_64                        3/5 
>   Installing : httpd-tools-2.2.15-54.el6_8.x86_64                          4/5 
> groupadd: failure while writing changes to /etc/group
> useradd: group 'apache' does not exist
>   Installing : httpd-2.2.15-54.el6_8.x86_64                                5/5 

the 'groupadd' command (which *is* apparently being called, as opposed to RHEL-7.2 httpd) is having troubles writing to /etc/group. I am guessing this might have to do with the file's SELinux context, file attributes or even the mount options of the /etc filesystem (if it is mounted). The httpd preinstall scriptlet does everything it should:

# rpm -q --scripts httpd
preinstall scriptlet (using /bin/sh):
# Add the "apache" user
getent group apache >/dev/null || groupadd -g 48 -r apache
getent passwd apache >/dev/null || \
  useradd -r -u 48 -g apache -s /sbin/nologin \
    -d /var/www -c "Apache" apache
exit 0
Comment 9 deadrat 2016-10-01 22:20:21 EDT
> This seems to be a different problem. Judging from the yum output,

You are right. Sorry for not checking that. 

I am having some other issue. I am facing issues in adding a user itself.
    # useradd test
    useradd: failure while writing changes to /etc/passwd`

To add a user and group, I have to edit those /etc/passwd & group file now. 

Thanks for pointing it out.
Comment 11 errata-xmlrpc 2016-11-04 04:09:54 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.