Bug 158147 - httpd attempts to write to /etc/krb5.conf
httpd attempts to write to /etc/krb5.conf
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: httpd (Show other bugs)
4.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-18 23:10 EDT by Aleksandar Milivojevic
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-19 05:31:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aleksandar Milivojevic 2005-05-18 23:10:16 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050421 Red Hat/1.0.3-1.4.1.centos4 Firefox/1.0.3

Description of problem:
I've noticed on some of my RHEL4 clones that httpd attemtps to write to /etc/krb5.conf file on startup, but is prevented from doing so by SELinux (good thing I have SELinux enabled on those boxes):

May 18 21:09:13 zatocnica kernel: audit(1116468553.539:0): avc:  denied  { write } for  pid=31308 exe=/usr/sbin/httpd name=krb5.conf dev=dm-0 ino=115476 scontext=root:system_r:httpd_t tcontext=system_u:object_r:etc_t tclass=file

Question.  Why on earth does web server needs write access to one of the critical Kerberos configuration files?  Not to mention that I don't use Kerberos at all.  I can kind of see it need read access provided it wants to authenticate Kerberos user, but write!?

Version-Release number of selected component (if applicable):
httpd-2.0.52-9.ent

How reproducible:
Always

Steps to Reproduce:
1. Start httpd with SELinux set to enforcing, watch 4 violations logged to /var/log/messages


Additional info:
Comment 1 Joe Orton 2005-05-19 05:31:48 EDT
If you're using a clone distribution, please report bugs in the first place to
the clone vendor.  If you have support questions and a current support contract,
please contact Red Hat support for further help.   If you need a support
contract, please contact Red Hat sales.
Comment 2 Aleksandar Milivojevic 2005-05-19 09:33:59 EDT
First of all, I am not looking for support.  I reported this as a pure curtesy
to you, since you are the original preparer of SRPM.  What you are goin to do
with it, is your choice.  You can do something about it and be proactive, or you
can be passive and wait until paying customer(s) get bitten by it.  Your choice.
 I couldn't care less.  I can perfectly live with 4 lines in log files that are
generated on httpd startup.

Furthermore, you are the upstream vendor in the same way Apache Project is
upstream vendor for you.  Sure, I can go one step up and report the bug to your
vendor (directly to Apache Project).  Then they'll probably tell me to report
the bug to however prepared SRPM package.  Which is you.  Playing ping-pong can
be fun passtime, but it doesn't solve the original problem.
Comment 3 Aleksandar Milivojevic 2005-05-19 09:53:11 EDT
BTW, reading back what I just wrote in my comment #2 looks kinda flamy... 
Anyhow, no hard feelings intended.  The Red Hat is a good company with good
products, and at the place I work at we've been using it for a very long time
(the original, not clones).  Actually, RHEL4 is in our shopping list, and
relatively soon there will be RHEL4 machines (with paid support) running around
here.  (it was just that couple of servers we installed lately are not of the
type we would need/want external support).

Note You need to log in before you can comment on or make changes to this bug.