13 Replies Latest reply: Jun 3, 2014 3:09 PM by RaiderOfTheLostSparc RSS

    Can't lock down apache anymore (stripping privileges)

    RaiderOfTheLostSparc

      Hi,

       

      I'm trying to start apache with a restricted privilege set (see https://blogs.oracle.com/observatory/entry/limiting_apache_s_power) but there seems to be a hardcoded "/var/run/apache2/2.2" somewhere as it always fails with: "could not create runtime directory: /var/run/apache2/2.2"

       

      Steps to reproduce:

       

      root@vmware:~# svccfg -s apache22 setprop start/user = astring: 'webservd'

      root@vmware:~# svccfg -s apache22 setprop start/group = astring: 'webservd'

      root@vmware:~# svccfg -s apache22 setprop start/privileges = astring: 'basic,!file_link_any,!proc_info,!proc_session,net_privaddr'

      root@vmware:~# svccfg -s apache22 setprop start/use_profile = boolean: false

      root@vmware:~# svccfg -s apache22 refresh

      root@vmware:~# chown -R webservd:webservd /var/apache2/2.2/logs

      root@vmware:~# cat << EOT >> /etc/apache2/2.2/httpd.conf

      LockFile "/var/apache2/2.2/logs/accept.lock"

      PidFile "/var/apache2/2.2/logs/httpd.pid"

      EOT


      root@vmware:~# svcadm enable apache22

      root@vmware:~# svcs -xv

      svc:/network/http:apache22 (Apache 2.2 HTTP server)

      State: maintenance since May 12, 2014 10:21:59 PM CEST

      Reason: Start method exited with $SMF_EXIT_ERR_FATAL.

         See: http://support.oracle.com/msg/SMF-8000-KS

         See: man -M /usr/apache2/2.2/man -s 8 httpd

         See: http://httpd.apache.org

         See: /var/svc/log/network-http:apache22.log

      Impact: This service is not running.

      root@vmware:~# tail /var/svc/log/network-http:apache22.log

      [ May 12 20:21:53 Rereading configuration. ]

      [ May 12 20:21:59 Enabled. ]

      [ May 12 20:21:59 Executing start method ("/lib/svc/method/http-apache22 start"). ]

      Apache version is 2.2

      could not create runtime directory: /var/run/apache2/2.2

      Server failed to start. Check the error log (defaults to /var/apache2/2.2/logs/error_log) for more information, if any.

      [ May 12 20:21:59 Method "start" exited with status 95. ]

       

       

      Manually creating /var/run/apache2/2.2 + starting apache22 works though (even though there are no files/dirs created in there...):

       

      root@vmware:~# mkdir -p /var/run/apache2/2.2

      root@vmware:~# chown -R webservd:webservd /var/run/apache2/2.2

      root@vmware:~# svcadm clear apache22

      root@vmware:~# svcs -xv

      root@vmware:~# ps -ef | grep httpd

      webservd 11439 11435   0 22:27:22 ?           0:00 /usr/apache2/2.2/bin/httpd -k start

      webservd 11437 11435   0 22:27:22 ?           0:00 /usr/apache2/2.2/bin/httpd -k start

      webservd 11438 11435   0 22:27:22 ?           0:00 /usr/apache2/2.2/bin/httpd -k start

      webservd 11440 11435   0 22:27:22 ?           0:00 /usr/apache2/2.2/bin/httpd -k start

          root 11443  3388   0 22:27:32 pts/1       0:00 grep httpd

      webservd 11436 11435   0 22:27:22 ?           0:00 /usr/apache2/2.2/bin/httpd -k start

      webservd 11435     1   0 22:27:21 ?           0:00 /usr/apache2/2.2/bin/httpd -k start

      root@vmware:~# ppriv 11438

      11438:  /usr/apache2/2.2/bin/httpd -k start

      flags = <none>

              E: basic,!file_link_any,net_privaddr,!proc_info,!proc_session

              I: basic,!file_link_any,net_privaddr,!proc_info,!proc_session

              P: basic,!file_link_any,net_privaddr,!proc_info,!proc_session

              L: all

      root@vmware:~# ls /var/run/apache2/2.2/

      root@vmware:~#