Bug 1432881 - httpd-itk not compiled with Linux capabilities support
Summary: httpd-itk not compiled with Linux capabilities support
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: httpd-itk
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Pavel Alexeev
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-16 10:05 UTC by julian.gilbert
Modified: 2017-10-25 21:21 UTC (History)
8 users (show)

Fixed In Version: httpd-itk-2.4.7.04-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-09 15:22:28 UTC
Type: Bug


Attachments (Terms of Use)

Description julian.gilbert 2017-03-16 10:05:00 UTC
Description of problem:

The mpm_itk_module Apache module packaged in httpd-itk does not use Linux capabilities (libcap) or offer the EnableCapabilities Apache configuration option. This means that the parent httpd processes run as root rather than an unprivileged user with extra capabilities.

Version-Release number of selected component (if applicable):

httpd-itk-2.4.7.04-1.el7.x86_64

How reproducible:

Always.

Steps to Reproduce:

1. # yum install httpd-itk

2. Edit /etc/httpd/conf.modules.d/00-mpm-itk.conf and uncomment LoadModule mpm_itk_module modules/mod_mpm_itk.so

3. # systemctl restart httpd

Actual results:

# pscap | grep -e ppid -e httpd
ppid  pid   name        command           capabilities
1     8821  root        httpd             full
8821  8832  root        httpd             full
8821  8833  root        httpd             full
8821  8834  root        httpd             full
8821  8835  root        httpd             full
8821  8836  root        httpd             full
8821  8840  root        httpd             full

# httpd -D MPM_ITK -L | grep -i itk

AssignUserID (mpm_itk.c)
AssignUserIDExpr (mpm_itk.c)
AssignGroupIDExpr (mpm_itk.c)
LimitUIDRange (mpm_itk.c)
LimitGIDRange (mpm_itk.c)
MaxClientsVHost (mpm_itk.c)
NiceValue (mpm_itk.c)


Expected results:

# pscap | grep -e ppid -e httpd
ppid  pid   name        command    capabilities
1     9077  root        httpd      full
9077  9088  apache      httpd      dac_read_search, setgid, setuid, sys_nice +
9077  9089  apache      httpd      dac_read_search, setgid, setuid, sys_nice +
9077  9090  apache      httpd      dac_read_search, setgid, setuid, sys_nice +
9077  9091  apache      httpd      dac_read_search, setgid, setuid, sys_nice +
9077  9092  apache      httpd      dac_read_search, setgid, setuid, sys_nice +

# httpd -D MPM_ITK -L | grep -i itk

AssignUserID (mpm_itk.c)
AssignUserIDExpr (mpm_itk.c)
AssignGroupIDExpr (mpm_itk.c)
LimitUIDRange (mpm_itk.c)
LimitGIDRange (mpm_itk.c)
EnableCapabilities (mpm_itk.c)
MaxClientsVHost (mpm_itk.c)
NiceValue (mpm_itk.c)


Additional info:

The above was tested on RHEL 7.

When referring to capabilities the Apache 2 ITK MPM page (http://mpm-itk.sesse.net/) says:

“Drop most root capabilities in the parent process, and instead run as the user given by the User/Group directives with some extra capabilities (in particular setuid). Somewhat more secure (especially when coupled with LimitUIDRange above), but can cause problems when serving from filesystems that do not honor capabilities, such as NFS.”

To compile Apache 2 ITK MPM with Linux capability support requires the capability.h library (/usr/include/sys/capability.h, provided in the libcap-devel package) to be present on the build host. httpd-itk would then be dependent on the libcap package and would make the “EnableCapabilities off” Apache configuration option available. It will change defaults as follows:

Current default = capabilities off (and not available)
New default = capabilities on (can be turned off with “EnableCapabilities off”)

Comment 1 Ken Snider 2017-04-10 05:20:13 UTC
Confirmed. As a result, because of this code in mpm-itk.c:

#if HAVE_LIBCAP
AP_INIT_FLAG("EnableCapabilities", enable_caps, NULL, RSRC_CONF,
             "Drop most root capabilities in the parent process, and instead run as "
             "the user given by the User/Group directives with some extra capabilities "
             "(in particular setuid). Somewhat more secure, but can cause problems "
             "when serving from NFS."),
#endif

The "EnableCpabilities" option isn't even present, generating an error if you attempt to use it. 

It appears that the reason this is happening is there isn't, by default, a flag to enable libcap - it's simply detected at build time, so I presume the library wasn't in the build environment by default.

See this thread for details:

https://lists.err.no/pipermail/mpm-itk/2015-September/000931.html

Comment 2 Pavel Alexeev 2017-04-12 21:17:50 UTC
I'm very sorry for the late reaction. I will look on it.

Comment 3 Fedora Update System 2017-04-12 21:40:12 UTC
httpd-itk-2.4.7.04-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-06d542b18b

Comment 4 Fedora Update System 2017-04-12 21:40:34 UTC
httpd-itk-2.4.7.04-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c594da45c9

Comment 5 Fedora Update System 2017-04-12 21:40:50 UTC
httpd-itk-2.4.7.04-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4f8e561d50

Comment 6 Fedora Update System 2017-04-13 14:50:01 UTC
httpd-itk-2.4.7.04-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-4f8e561d50

Comment 7 Fedora Update System 2017-04-13 15:20:01 UTC
httpd-itk-2.4.7.04-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c594da45c9

Comment 8 Fedora Update System 2017-04-13 17:21:49 UTC
httpd-itk-2.4.7.04-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-06d542b18b

Comment 9 Fedora Update System 2017-08-09 15:22:28 UTC
httpd-itk-2.4.7.04-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Scott Wunsch 2017-08-11 17:24:13 UTC
After upgrading to this package, httpd-itk is no longer able to serve files from directories that are only readable by the configured user.  It appears to expect to be able to read the directory as root first, before switching users.  I get the following in my audit log:

type=AVC msg=audit(1502466481.322:415368): avc:  denied  { dac_read_search } for  pid=5971 comm="httpd" capability=2  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability

Running that through audit2allow to create an SELinux module that grants the dac_read_search capability to httpd_t makes it work again.  I don't know if that's the right solution... but in this case, I think it might be.

Comment 11 g.danti 2017-08-14 13:39:41 UTC
Hi, I second Scott Wunsch: after updating to the lasted httpd-itk-2.4.7.04-2.el7.x86_64 package, basically all virtualhost *stopped responding*, failing with a "Forbidden" message and the following Apache logs:

[Mon Aug 14 03:37:24.126776 2017] [core:error] [pid 8432] (13)Permission denied: [client 202.56.203.40:39940] AH00035: access to / denied (filesystem path '/var/www/www.example.com/html') because search permissions are missing on a component of the path, referer: http://www.example.com

The audit.log file is flooded with the following message:

type=AVC msg=audit(1502700479.533:332497): avc:  denied  { dac_read_search } for  pid=16032 comm="httpd" capability=2  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability

audit2allow reports the following:

#============= httpd_t ==============

allow httpd_t self:capability dac_read_search;

Current workaround is to add the above capability to the selinux policy, which solves the problem.

I have some questions:
- is the above workaround the better one?
- would disabling capabilities (EnableCapabilities off) solve the problem without a selinux policy change?

Comment 12 julian.gilbert 2017-08-18 11:00:16 UTC
Yes, SELinux set to enforcing (tested on RHEL 7) is causing virtual hosts to fail with 403 Forbidden when only the ITK AssignUserId has read permission to the directory. Adding an audit rule (auditctl -a exit,always  -F dir=/var/www/www.example.com/html) reveals that a syscall is made initially as the user/group from httpd.conf and this is being denied by SELinux.

This problem could be bypassed by using the “EnableCapabilities off” Apache configuration option, ITK returns to its non-capabilities functionality and the directory is read initially as root (uid=0). I do not know why in this configuration the syscall is not also blocked by SELinux.

Granting the SELinux dac_read_search capability to httpd_t (allow httpd_t self:capability dac_read_search;) is required to allow ITK to function with capabilities enabled as it seems ITK expects/requires syscalls as the httpd.conf user/group on the directory tree to succeed.

Does granting the SELinux capability dac_read_search to httpd_t pose any risks? I don’t think so as ITK drops dac_read_search as soon as possible and httpd without ITK drops all Linux capabilities from its worker processes so the effect should be limited. Therefore I think this would be a better approach than turning off ITK capabilities.

Is it desirable for this SELinux change to be implemented in the httpd-itk package or instead explained in documentation?

Comment 13 faew 2017-10-25 21:21:49 UTC
New install httpd-itk-2.4.7.04-2.el7.x86_64 

[Wed Oct 25 23:12:07.527242 2017] [core:crit] [pid 2339] (13)Permission denied: 
AH00529: /var/www/user/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/var/www/user/'

Just adding a rule in selinux solves the problem.

#============= httpd_t ==============

allow httpd_t self:capability dac_read_search;


Note You need to log in before you can comment on or make changes to this bug.