Socket directory permissions in Fedora
Clodoaldo Neto
problem in the mod_wsgi socket file permission. Then I tried F11 and
the same problem happens:
[Wed Oct 28 12:05:02 2009] [notice] Apache/2.2.13 (Unix) DAV/2
PHP/5.2.9 mod_python/3.3.1 Python/2.6 mod_ssl/2.2.13
OpenSSL/0.9.8k-fips mod_wsgi/2.6 mod_perl/2.0.4 Perl/v5.10.0
configured -- resuming normal operations
[Wed Oct 28 12:05:09 2009] [error] [client 10.0.2.15] (13)Permission
denied: mod_wsgi (pid=2722): Unable to connect to WSGI daemon process
'mygroup' on '/etc/httpd/run/wsgi.2692.0.1.sock' after multiple
attempts.
I have the WSGISocketPrefix set to run/wsgi.
The problem is that until F10 the httpd socket directory was /var/run/
and in F11 and F12 it is /var/run/httpd:
# ll /etc/httpd/run
lrwxrwxrwx. 1 root root 19 2009-10-28 11:04 /etc/httpd/run ->
../../var/run/httpd
# ll -d /var/run/httpd
drwx------. 2 root root 4096 2009-10-28 11:51 /var/run/httpd
# ll -d /var/run
drwxr-xr-x. 31 root root 4096 2009-10-28 11:35 /var/run
# ll /var/run/httpd/
total 4
-rw-r--r--. 1 root root 5 2009-10-28 12:05 httpd.pid
srwx------. 1 apache root 0 2009-10-28 12:05 wsgi.2692.0.1.sock
Any of these solve the problem:
# chmod o+x /var/run/httpd
# chown apache.root /var/run/httpd
Is there some way to fix it without the user intervention and without
the risk of the fix being reverted when the httpd package is updated
or reinstalled? Should I ask Fedora developers to change permissions
or ownership of /var/run/httpd?
Regards, Clodoaldo
Clodoaldo Neto
Forgot to say that just changing WSGISocketPrefix to the absolute
path/prefix /var/run/wsgi fixes all the problems but it is against the
distribution's usage of paths relative the httpd config directory.
Clodoaldo
>
> Regards, Clodoaldo
>
Graham Dumpleton
The mod_wsgi module uses:
DEFAULT_REL_RUNTIMEDIR
from Apache configuration as the default location for these socket files.
This same location is also used by mod_cgid and I also imagine
possibly other third party modules such as fastcgi, scgi modules.
It is the only location known of in Apache sphere when writing modules
which can be used for temporary files, logs, sockets etc, without
stepping outside of Apache and forcing users to define a location of
their own.
Linux distributions ignore the Apache configuration layout and impose
their own. RedHat/Centos takes this a step further and doctors the
Apache source code to separate logs from other temporary stuff created
such as sockets. This is why had to have WSGISocketPrefix in the first
place. That is, because RedHat/Centos were trying to enforce stuff
which Apache module writers wouldn't expect. When they did that split
they made logs not readable to others. If they have now taken that a
step further and made the run directory not readable as well, then
they risk third party Apache modules breaking altogether.
So, there isn't a great deal I can do about it except to further document in:
http://code.google.com/p/modwsgi/wiki/ConfigurationIssues#Location_Of_UNIX_Sockets
that RedHat/Centos is further screwing things up and to say that:
WSGISocketPrefix /var/run/wsgi
must be used.
That it uses an absolute path isn't something I can do much about
unless you want to use:
WSGISocketPrefix run/../wsgi
on the assumption that safe to use parent directory of whatever 'run'
directory symlinked into 'httpd' directory is.
Although I could ask on Apache developers list about this, I know from
past that their opinion is that specific Linux distributions and users
of those distributions are own their own due to the Linux
distributions ignoring the ASF's own configuration layout and
doctoring original Apache code to do things differently to standard
distribution.
Graham
Clodoaldo Neto
socket directory. But as it is changed now in Fedora it is almost sure
that will happen to the next RHEL/Centos version (6).
> That it uses an absolute path isn't something I can do much about
> unless you want to use:
>
> WSGISocketPrefix run/../wsgi
>
> on the assumption that safe to use parent directory of whatever 'run'
> directory symlinked into 'httpd' directory is.
>
> Although I could ask on Apache developers list about this, I know from
> past that their opinion is that specific Linux distributions and users
> of those distributions are own their own due to the Linux
> distributions ignoring the ASF's own configuration layout and
> doctoring original Apache code to do things differently to standard
> distribution.
in Fedora 12 (and 11) and prevent that to happen to RHEL 6. I will
post at that list.
Clodoaldo
>
> Graham
>
> >
>
Clodoaldo Neto
> 2009/10/29 Graham Dumpleton <graham.d...@gmail.com>:
...
>> Although I could ask on Apache developers list about this, I know from
>> past that their opinion is that specific Linux distributions and users
>> of those distributions are own their own due to the Linux
>> distributions ignoring the ASF's own configuration layout and
>> doctoring original Apache code to do things differently to standard
>> distribution.
>
> Since it is just a symlink we still have a chance to have it changed
> in Fedora 12 (and 11) and prevent that to happen to RHEL 6. I will
> post at that list.
https://www.redhat.com/archives/fedora-devel-list/2009-October/msg01334.html
Clodoaldo
>
> Clodoaldo
>
>>
>> Graham
>>
>> >>
>>
>
Graham Dumpleton
Also see:
https://bugzilla.redhat.com/process_bug.cgi
I have posted to that because if they make the directory owned by
apache user or at minimum make it writable to apache user, then they
have created a security hole in mod_wsgi which would allow execution
of arbitrary code as user that daemon mode process runs.
Although using /tmp for UNIX socket files also has a similar danger,
my understanding is that sane UNIX systems will not allow you to
rename a socket created by another user and so can't compromise
mod_wsgi in same way. If some UNIX systems do allow that and you use
/tmp, you are already putting yourself at risk. Thus why documentation
says not to use /tmp, albeit that see many people who ignore that
warning.
Graham
Clodoaldo Neto
info to act. Fixing the link if someone cares:
https://bugzilla.redhat.com/show_bug.cgi?id=495780
So what is that directory permission/ownership you think is
appropriate? I guess root:apache 0710? I tested it and just the
execute permission (in the directory not in the files within) is
enough.
Now I'm sorry for the guy who suggested to make apache the owner of
the directory or give it write permission because he tried hard to
read, resume the threads and produce a patch and now he could be
feeling trashed given your somewhat harsh, albeit necessary, post.
Clodoaldo
>
> Graham
>
> >
>
Graham Dumpleton
That will work for mod_wsgi and I suspect other modules. If a module
was wanting to get a listing of the directory and thus require 'r' and
not just 'x', then I would say that what the module is doing is a bit
dubious.
So, yes, using root:apache 0710 is probably a good middle ground. You
might like to comment on the bug report and add that.
> Now I'm sorry for the guy who suggested to make apache the owner of
> the directory or give it write permission because he tried hard to
> read, resume the threads and produce a patch and now he could be
> feeling trashed given your somewhat harsh, albeit necessary, post.
I could have put a smiley after the last line about the security advisory. :-)
Overall I didn't think I was trashing anyone, just providing
information that those people might not be aware of.
Graham