Bug 1312583 - mod_nss segmentation fault when NSSCertificateDatabase does not have proper permissions
mod_nss segmentation fault when NSSCertificateDatabase does not have proper p...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_nss (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Matthew Harmsen
Kaleem
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-27 10:40 EST by Robert Bost
Modified: 2017-01-09 09:57 EST (History)
5 users (show)

See Also:
Fixed In Version: mod_nss-1.0.14-7.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 17:20:24 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Bost 2016-02-27 10:40:10 EST
Description of problem: If NSSCertificateDatabase directory is not readable by httpd user a segmentation fault occurs during startup. Segmentation faults repeat until httpd is manually stopped. 


Version-Release number of selected component (if applicable): mod_nss-1.0.11-6.el7.x86_64


How reproducible: Always


Steps to Reproduce:
1. chmod 0700 /etc/httpd/alias 

Actual results: 
[Sat Feb 27 10:34:08.466140 2016] [:error] [pid 3035] Unable to change directory to /etc/httpd/alias
[Sat Feb 27 10:34:09.467917 2016] [core:notice] [pid 2968] AH00052: child pid 3035 exit signal Segmentation fault (11)
[Sat Feb 27 10:34:09.468935 2016] [:error] [pid 3037] Unable to change directory to /etc/httpd/alias
[Sat Feb 27 10:34:09.470572 2016] [:error] [pid 3038] Unable to change directory to /etc/httpd/alias
[Sat Feb 27 10:34:10.471622 2016] [core:notice] [pid 2968] AH00052: child pid 3037 exit signal Segmentation fault (11)
[Sat Feb 27 10:34:10.471667 2016] [core:notice] [pid 2968] AH00052: child pid 3038 exit signal Segmentation fault (11)


Expected results: Clean exit with no segmentation fault. I would expect if mod_nss cannot read the NSS DB directory that it would prevent httpd from starting up and state the permissions error.


Additional info:
If NSS DB directory (/etc/httpd/alias) has execute permission but the NSS DB files are not readable there's a different set of errors; see below. If this would need a new bug, let me know and I'll be happy to open it.

[Sat Feb 27 10:37:45.012814 2016] [:error] [pid 3737] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
[Sat Feb 27 10:37:45.012844 2016] [:error] [pid 3737] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
[Sat Feb 27 10:37:45.901118 2016] [core:notice] [pid 3586] AH00052: child pid 3737 exit signal Segmentation fault (11)
Comment 2 Matthew Harmsen 2016-02-29 13:11:04 EST
My suggestion for this bug is to document changing owner/group ownership and permissions in /usr/share/doc/mod_nss-<version>/mod_nss.html whenever a 'certutil -d . -N' is executed.
Comment 3 Rob Crittenden 2016-03-01 11:23:49 EST
That or we can proactively check for user/group read permissions of the apache user.
Comment 5 Scott Poore 2016-09-20 20:17:52 EDT
What changed here?

I still see segfaults:


[Tue Sep 20 19:07:27.334049 2016] [:error] [pid 12894] Unable to change directory to /etc/httpd/alias
[Tue Sep 20 19:07:27.334068 2016] [:error] [pid 12894] Does the directory exist and do the permissions allow access?
[Tue Sep 20 19:07:28.319846 2016] [core:notice] [pid 12793] AH00052: child pid 12891 exit signal Segmentation fault (11)
[Tue Sep 20 19:07:28.319876 2016] [core:notice] [pid 12793] AH00052: child pid 12892 exit signal Segmentation fault (11)

And I am not finding anything in documentation.

Am I missing something?
Comment 6 Scott Poore 2016-09-21 10:52:45 EDT
moving bug back to assigned while it is being worked on.
Comment 7 Rob Crittenden 2016-09-21 13:54:54 EDT
The problem was that the files within the certificate database directory were being checked for read access but not the directory itself.
Comment 8 Rob Crittenden 2016-09-21 14:06:08 EDT
Have a patch in hand to address not checking the NSS database directory permissions.
Comment 12 Scott Poore 2016-09-22 11:14:19 EDT
Verified.

Version ::

mod_nss-1.0.14-7.el7.x86_64

Results ::

[root@vm4 yum.local.d]# chmod 0700 /etc/httpd/alias/

[root@vm4 yum.local.d]# systemctl start httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.


/var/log/httpd/error_log

[Thu Sep 22 10:13:14.087491 2016] [core:notice] [pid 3655] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Sep 22 10:13:14.088060 2016] [suexec:notice] [pid 3655] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Sep 22 10:13:14.088080 2016] [:warn] [pid 3655] NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Sep 22 10:13:14.088090 2016] [:debug] [pid 3655] nss_engine_init.c(454): SNI: vm4.example.com -> vm4.example.com - RedHat
[Thu Sep 22 10:13:14.089493 2016] [:error] [pid 3655] Server user apache lacks read access to NSS database directory /etc/httpd/alias.
Comment 14 errata-xmlrpc 2016-11-03 17:20:24 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2602.html

Note You need to log in before you can comment on or make changes to this bug.