1312583 – mod_nss segmentation fault when NSSCertificateDatabase does not have proper permissions

Bug 1312583 - mod_nss segmentation fault when NSSCertificateDatabase does not have proper permissions

Summary: mod_nss segmentation fault when NSSCertificateDatabase does not have proper p...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_nss
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Matthew Harmsen
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-27 15:40 UTC by Robert Bost
Modified:	2017-01-09 14:57 UTC (History)
CC List:	5 users (show)
Fixed In Version:	mod_nss-1.0.14-7.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-03 21:20:24 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2602	normal	SHIPPED_LIVE	Low: mod_nss security, bug fix, and enhancement update	2016-11-03 12:12:49 UTC

Description Robert Bost 2016-02-27 15:40:10 UTC

Description of problem: If NSSCertificateDatabase directory is not readable by httpd user a segmentation fault occurs during startup. Segmentation faults repeat until httpd is manually stopped. 


Version-Release number of selected component (if applicable): mod_nss-1.0.11-6.el7.x86_64


How reproducible: Always


Steps to Reproduce:
1. chmod 0700 /etc/httpd/alias 

Actual results: 
[Sat Feb 27 10:34:08.466140 2016] [:error] [pid 3035] Unable to change directory to /etc/httpd/alias
[Sat Feb 27 10:34:09.467917 2016] [core:notice] [pid 2968] AH00052: child pid 3035 exit signal Segmentation fault (11)
[Sat Feb 27 10:34:09.468935 2016] [:error] [pid 3037] Unable to change directory to /etc/httpd/alias
[Sat Feb 27 10:34:09.470572 2016] [:error] [pid 3038] Unable to change directory to /etc/httpd/alias
[Sat Feb 27 10:34:10.471622 2016] [core:notice] [pid 2968] AH00052: child pid 3037 exit signal Segmentation fault (11)
[Sat Feb 27 10:34:10.471667 2016] [core:notice] [pid 2968] AH00052: child pid 3038 exit signal Segmentation fault (11)


Expected results: Clean exit with no segmentation fault. I would expect if mod_nss cannot read the NSS DB directory that it would prevent httpd from starting up and state the permissions error.


Additional info:
If NSS DB directory (/etc/httpd/alias) has execute permission but the NSS DB files are not readable there's a different set of errors; see below. If this would need a new bug, let me know and I'll be happy to open it.

[Sat Feb 27 10:37:45.012814 2016] [:error] [pid 3737] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
[Sat Feb 27 10:37:45.012844 2016] [:error] [pid 3737] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
[Sat Feb 27 10:37:45.901118 2016] [core:notice] [pid 3586] AH00052: child pid 3737 exit signal Segmentation fault (11)

Comment 2 Matthew Harmsen 2016-02-29 18:11:04 UTC

My suggestion for this bug is to document changing owner/group ownership and permissions in /usr/share/doc/mod_nss-<version>/mod_nss.html whenever a 'certutil -d . -N' is executed.

Comment 3 Rob Crittenden 2016-03-01 16:23:49 UTC

That or we can proactively check for user/group read permissions of the apache user.

Comment 5 Scott Poore 2016-09-21 00:17:52 UTC

What changed here?

I still see segfaults:


[Tue Sep 20 19:07:27.334049 2016] [:error] [pid 12894] Unable to change directory to /etc/httpd/alias
[Tue Sep 20 19:07:27.334068 2016] [:error] [pid 12894] Does the directory exist and do the permissions allow access?
[Tue Sep 20 19:07:28.319846 2016] [core:notice] [pid 12793] AH00052: child pid 12891 exit signal Segmentation fault (11)
[Tue Sep 20 19:07:28.319876 2016] [core:notice] [pid 12793] AH00052: child pid 12892 exit signal Segmentation fault (11)

And I am not finding anything in documentation.

Am I missing something?

Comment 6 Scott Poore 2016-09-21 14:52:45 UTC

moving bug back to assigned while it is being worked on.

Comment 7 Rob Crittenden 2016-09-21 17:54:54 UTC

The problem was that the files within the certificate database directory were being checked for read access but not the directory itself.

Comment 8 Rob Crittenden 2016-09-21 18:06:08 UTC

Have a patch in hand to address not checking the NSS database directory permissions.

Comment 12 Scott Poore 2016-09-22 15:14:19 UTC

Verified.

Version ::

mod_nss-1.0.14-7.el7.x86_64

Results ::

[root@vm4 yum.local.d]# chmod 0700 /etc/httpd/alias/

[root@vm4 yum.local.d]# systemctl start httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.


/var/log/httpd/error_log

[Thu Sep 22 10:13:14.087491 2016] [core:notice] [pid 3655] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Sep 22 10:13:14.088060 2016] [suexec:notice] [pid 3655] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Sep 22 10:13:14.088080 2016] [:warn] [pid 3655] NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Sep 22 10:13:14.088090 2016] [:debug] [pid 3655] nss_engine_init.c(454): SNI: vm4.example.com -> vm4.example.com - RedHat
[Thu Sep 22 10:13:14.089493 2016] [:error] [pid 3655] Server user apache lacks read access to NSS database directory /etc/httpd/alias.

Comment 14 errata-xmlrpc 2016-11-03 21:20:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2602.html

Note You need to log in before you can comment on or make changes to this bug.