Hide Forgot
Description of problem: Group ownership not fully respected when checking read permissions on startup. I chowned NSS DB files to group mytest. Added apache user to mytest group and not receive error on httpd startup. error_log: [Tue Nov 15 11:02:00.131289 2016] [:error] [pid 1673] Server user apache lacks read access to NSS key database /etc/httpd/alias/key3.db. # ls -l /etc/httpd/alias/ total 88 -rw-r-----. 1 root mytest 65536 Oct 26 17:26 cert8.db -rw-------. 1 root root 5872 Oct 26 17:26 install.log -rw-r-----. 1 root mytest 16384 Oct 26 17:26 key3.db lrwxrwxrwx. 1 root root 24 Nov 15 10:58 libnssckbi.so -> /usr/lib64/libnssckbi.so -rw-r-----. 1 root mytest 16384 Oct 26 17:26 secmod.db # groups apache apache : apache mytest Version-Release number of selected component (if applicable): mod_nss-1.0.14-7.el7.x86_64 How reproducible: Always. Steps to Reproduce: 1. yum install httpd mod_nss 2. usermod -a -G mytest apache 3. chown :mytest /etc/httpd/alias/*.db 4. systemctl start httpd 5. tail /var/log/httpd/error_log Actual results: httpd does not start. Expected results: httpd starts as long as permissions are actually valid. Additional info:
Verified. Pkg version: ============ [root@dhcp207-220 ~]# rpm -q mod_nss httpd mod_nss-1.0.14-10.el7.x86_64 httpd-2.4.6-67.el7.x86_64 [root@dhcp207-220 ~]# Console output: =============== [root@dhcp207-220 ~]# id apache uid=48(apache) gid=48(apache) groups=48(apache),386(ipaapi),1000(mytest) [root@dhcp207-220 ~]# chown :mytest /etc/httpd/alias/*.db [root@dhcp207-220 ~]# ls -la /etc/httpd/alias/ total 96 drwxr-xr-x. 2 root root 94 May 16 14:28 . drwxr-xr-x. 6 root root 105 May 16 14:28 .. -rw-r-----. 1 root mytest 65536 May 16 14:28 cert8.db -rw-------. 1 root root 5274 May 16 14:28 install.log -rw-r-----. 1 root mytest 24576 May 16 14:28 key3.db lrwxrwxrwx. 1 root root 24 May 16 14:28 libnssckbi.so -> /usr/lib64/libnssckbi.so -rw-r-----. 1 root mytest 16384 May 16 14:28 secmod.db [root@dhcp207-220 ~]# systemctl start httpd [root@dhcp207-220 ~]# systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2017-05-16 14:29:20 IST; 17s ago Docs: man:httpd(8) man:apachectl(8) Main PID: 1947 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service ├─1947 /usr/sbin/httpd -DFOREGROUND ├─1948 /usr/libexec/nss_pcache 131074 off ├─1949 /usr/sbin/httpd -DFOREGROUND ├─1950 /usr/sbin/httpd -DFOREGROUND ├─1951 /usr/sbin/httpd -DFOREGROUND ├─1952 /usr/sbin/httpd -DFOREGROUND └─1953 /usr/sbin/httpd -DFOREGROUND May 16 14:29:20 dhcp207-220.testrelm.test systemd[1]: Starting The Apache HTTP Server... May 16 14:29:20 dhcp207-220.testrelm.test systemd[1]: Started The Apache HTTP Server. [root@dhcp207-220 ~]# groups apache apache : apache ipaapi mytest [root@dhcp207-220 ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2009