Hide Forgot
Description of problem: The mpm_itk_module Apache module packaged in httpd-itk does not use Linux capabilities (libcap) or offer the EnableCapabilities Apache configuration option. This means that the parent httpd processes run as root rather than an unprivileged user with extra capabilities. Version-Release number of selected component (if applicable): httpd-itk-2.4.7.04-1.el7.x86_64 How reproducible: Always. Steps to Reproduce: 1. # yum install httpd-itk 2. Edit /etc/httpd/conf.modules.d/00-mpm-itk.conf and uncomment LoadModule mpm_itk_module modules/mod_mpm_itk.so 3. # systemctl restart httpd Actual results: # pscap | grep -e ppid -e httpd ppid pid name command capabilities 1 8821 root httpd full 8821 8832 root httpd full 8821 8833 root httpd full 8821 8834 root httpd full 8821 8835 root httpd full 8821 8836 root httpd full 8821 8840 root httpd full # httpd -D MPM_ITK -L | grep -i itk AssignUserID (mpm_itk.c) AssignUserIDExpr (mpm_itk.c) AssignGroupIDExpr (mpm_itk.c) LimitUIDRange (mpm_itk.c) LimitGIDRange (mpm_itk.c) MaxClientsVHost (mpm_itk.c) NiceValue (mpm_itk.c) Expected results: # pscap | grep -e ppid -e httpd ppid pid name command capabilities 1 9077 root httpd full 9077 9088 apache httpd dac_read_search, setgid, setuid, sys_nice + 9077 9089 apache httpd dac_read_search, setgid, setuid, sys_nice + 9077 9090 apache httpd dac_read_search, setgid, setuid, sys_nice + 9077 9091 apache httpd dac_read_search, setgid, setuid, sys_nice + 9077 9092 apache httpd dac_read_search, setgid, setuid, sys_nice + # httpd -D MPM_ITK -L | grep -i itk AssignUserID (mpm_itk.c) AssignUserIDExpr (mpm_itk.c) AssignGroupIDExpr (mpm_itk.c) LimitUIDRange (mpm_itk.c) LimitGIDRange (mpm_itk.c) EnableCapabilities (mpm_itk.c) MaxClientsVHost (mpm_itk.c) NiceValue (mpm_itk.c) Additional info: The above was tested on RHEL 7. When referring to capabilities the Apache 2 ITK MPM page (http://mpm-itk.sesse.net/) says: “Drop most root capabilities in the parent process, and instead run as the user given by the User/Group directives with some extra capabilities (in particular setuid). Somewhat more secure (especially when coupled with LimitUIDRange above), but can cause problems when serving from filesystems that do not honor capabilities, such as NFS.” To compile Apache 2 ITK MPM with Linux capability support requires the capability.h library (/usr/include/sys/capability.h, provided in the libcap-devel package) to be present on the build host. httpd-itk would then be dependent on the libcap package and would make the “EnableCapabilities off” Apache configuration option available. It will change defaults as follows: Current default = capabilities off (and not available) New default = capabilities on (can be turned off with “EnableCapabilities off”)
Confirmed. As a result, because of this code in mpm-itk.c: #if HAVE_LIBCAP AP_INIT_FLAG("EnableCapabilities", enable_caps, NULL, RSRC_CONF, "Drop most root capabilities in the parent process, and instead run as " "the user given by the User/Group directives with some extra capabilities " "(in particular setuid). Somewhat more secure, but can cause problems " "when serving from NFS."), #endif The "EnableCpabilities" option isn't even present, generating an error if you attempt to use it. It appears that the reason this is happening is there isn't, by default, a flag to enable libcap - it's simply detected at build time, so I presume the library wasn't in the build environment by default. See this thread for details: https://lists.err.no/pipermail/mpm-itk/2015-September/000931.html
I'm very sorry for the late reaction. I will look on it.
httpd-itk-2.4.7.04-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-06d542b18b
httpd-itk-2.4.7.04-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c594da45c9
httpd-itk-2.4.7.04-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4f8e561d50
httpd-itk-2.4.7.04-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4f8e561d50
httpd-itk-2.4.7.04-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c594da45c9
httpd-itk-2.4.7.04-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-06d542b18b
httpd-itk-2.4.7.04-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
After upgrading to this package, httpd-itk is no longer able to serve files from directories that are only readable by the configured user. It appears to expect to be able to read the directory as root first, before switching users. I get the following in my audit log: type=AVC msg=audit(1502466481.322:415368): avc: denied { dac_read_search } for pid=5971 comm="httpd" capability=2 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability Running that through audit2allow to create an SELinux module that grants the dac_read_search capability to httpd_t makes it work again. I don't know if that's the right solution... but in this case, I think it might be.
Hi, I second Scott Wunsch: after updating to the lasted httpd-itk-2.4.7.04-2.el7.x86_64 package, basically all virtualhost *stopped responding*, failing with a "Forbidden" message and the following Apache logs: [Mon Aug 14 03:37:24.126776 2017] [core:error] [pid 8432] (13)Permission denied: [client 202.56.203.40:39940] AH00035: access to / denied (filesystem path '/var/www/www.example.com/html') because search permissions are missing on a component of the path, referer: http://www.example.com The audit.log file is flooded with the following message: type=AVC msg=audit(1502700479.533:332497): avc: denied { dac_read_search } for pid=16032 comm="httpd" capability=2 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability audit2allow reports the following: #============= httpd_t ============== allow httpd_t self:capability dac_read_search; Current workaround is to add the above capability to the selinux policy, which solves the problem. I have some questions: - is the above workaround the better one? - would disabling capabilities (EnableCapabilities off) solve the problem without a selinux policy change?
Yes, SELinux set to enforcing (tested on RHEL 7) is causing virtual hosts to fail with 403 Forbidden when only the ITK AssignUserId has read permission to the directory. Adding an audit rule (auditctl -a exit,always -F dir=/var/www/www.example.com/html) reveals that a syscall is made initially as the user/group from httpd.conf and this is being denied by SELinux. This problem could be bypassed by using the “EnableCapabilities off” Apache configuration option, ITK returns to its non-capabilities functionality and the directory is read initially as root (uid=0). I do not know why in this configuration the syscall is not also blocked by SELinux. Granting the SELinux dac_read_search capability to httpd_t (allow httpd_t self:capability dac_read_search;) is required to allow ITK to function with capabilities enabled as it seems ITK expects/requires syscalls as the httpd.conf user/group on the directory tree to succeed. Does granting the SELinux capability dac_read_search to httpd_t pose any risks? I don’t think so as ITK drops dac_read_search as soon as possible and httpd without ITK drops all Linux capabilities from its worker processes so the effect should be limited. Therefore I think this would be a better approach than turning off ITK capabilities. Is it desirable for this SELinux change to be implemented in the httpd-itk package or instead explained in documentation?
New install httpd-itk-2.4.7.04-2.el7.x86_64 [Wed Oct 25 23:12:07.527242 2017] [core:crit] [pid 2339] (13)Permission denied: AH00529: /var/www/user/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/var/www/user/' Just adding a rule in selinux solves the problem. #============= httpd_t ============== allow httpd_t self:capability dac_read_search;