Web lists-archives.com

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied




	Hi.

On Wed, Oct 17, 2018 at 06:33:09AM +0200, steve wrote:
> Le 16-10-2018, à 09:51:22 +0300, Reco a écrit :
> 
> > 	Hi.
> > 
> > On Tue, Oct 16, 2018 at 07:31:17AM +0200, steve wrote:
> > > Hi there,
> > > 
> > > Purged and then reinstalled apache2 and when I want to start apache2,
> > > here's what I get:
> > > 
> > > # systemctl status apache2.service
> > > ● apache2.service - The Apache HTTP Server
> > >   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
> > >   Active: failed (Result: exit-code) since Tue 2018-10-16 07:22:02 CEST; 13s ago
> > >  Process: 32122 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
> > > 
> > > oct 16 07:22:01 box systemd[1]: Starting The Apache HTTP Server...
> > > oct 16 07:22:01 box apachectl[32122]: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied
> > > oct 16 07:22:02 box apachectl[32122]: Action 'start' failed.
> > > oct 16 07:22:02 box apachectl[32122]: The Apache error log may have more information.
> > 
> > So, does the 'Apache error log' have anything useful?
> 
> Nothing. It's empty.

And that, my dear list, shows us that in that particular case systemd
journal is useless. It was expected though, as it's the usual thing with
it - it's able to tell you that something is wrong, but it never tells
you the actual cause of it.


> > > ls -l /etc/apache2/apache2.conf
> > > -rw-r--r-- 1 root root 7224 jun  2 10:01 /etc/apache2/apache2.conf
> > 
> > First things first, it's 'ls -lZ /etc/apache2/apache2.conf'.
> 
> # ls -lZ /etc/apache2/apache2.conf -rw-r--r-- 1 root root ? 7224 jun  2 10:01 /etc/apache2/apache2.conf

And that shows us that you aren't using SELinux.


> > Next thing to check is 'ls -ald / /etc /etc/apache2'.
> 
> # ls -ald /etc/apache2
> drwxr-xr-x 8 root root 4096 oct 16 07:21 /etc/apache2

Original command contains three directories, you show just one.
A hint - all three could be important in this case.


> > And, finally, /var/log/audit/audit.log if you have auditd installed
> > (hint - install it if you don't).
> 
> grep apache /var/log/audit/audit.log
> 
> type=AVC msg=audit(1539750555.347:76): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/gai.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=SYSCALL msg=audit(1539750555.347:76): arch=c000003e syscall=2 success=no exit=-13 a0=7fe220cac22a a1=80000 a2=1b6 a3=80000 items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
> type=AVC msg=audit(1539750555.347:77): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/apache2/apache2.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=SYSCALL msg=audit(1539750555.347:77): arch=c000003e syscall=2 success=no exit=-13 a0=7fe2219b6f70 a1=80000 a2=1b6 a3=ffffffffffffff7f items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
> type=SERVICE_START msg=audit(1539750555.383:78): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=apache2 comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
> 
> Seems fine to me.

On the contrary. These show that apache2 binary was denied from reading
/etc/gai.conf *and* /etc/apache2/apache2.conf by some Mandatory Access
Control (audit record type AVC).
Since you're using Debian, I suspect AppArmor.

First things first, Apparmor (and any kind of MAC) is a good thing,
especially in your typical server environment. They'll suggest you to
disable it - don't. Lowering overall security of your OS is not worth
it.

Second, Debian does not provide apparmor profiles for apache. Whatever
profile is active in your installation is a result of local
misconfiguration.

Third, it's fixable. Install apparmor-utils.
Invoke 'aa-complain /usr/sbin/apache2'.
Start your apache2 service, stop it and start again.
Make some GET/PUT requests to it.
Invoke 'aa-logprof' and generate Apparmor profile that's uniquely suited
for your environment.
Invoke 'aa-enforce /usr/sbin/apache2', and you're set.

Reco