Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot open '/proc/1/environ' for reading #2168

Closed
greenius opened this issue Jan 24, 2019 · 13 comments
Closed

Cannot open '/proc/1/environ' for reading #2168

greenius opened this issue Jan 24, 2019 · 13 comments

Comments

@greenius
Copy link

@greenius greenius commented Jan 24, 2019

Passenger 6.0.1 will not start in Apache on my Gentoo Linux System.

[Thu Jan 24 10:43:57.606465 2019] [mpm_event:notice] [pid 1143:tid 140664593635200] AH00492: caught SIGWINCH, shutting down gracefully
terminate called after throwing an instance of 'Passenger::FileSystemException'
  what():  Cannot open '/proc/1/environ' for reading: Permission denied (errno=13)
[Thu Jan 24 10:44:11.925474 2019] [passenger:error] [pid 9229:tid 140218461935488] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have been killed with signal SIGABRT during startup
terminate called after throwing an instance of 'Passenger::FileSystemException'
  what():  Cannot open '/proc/1/environ' for reading: Permission denied (errno=13)

This looks like it is caused by commit 2165cb3 to fix issue #2143.

On my machine /proc/1/environ is read only by root, so can not be read by passenger which is running as a different user (using PassengerUser and PassengerGroup Apache configuration)

$ ls -l /proc/1/environ
-r-------- 1 root root 0 Jan 24 13:15 /proc/1/environ

unsafeReadFile() then throws a FileSystemException.

@faew
Copy link

@faew faew commented Apr 5, 2019

Module

ls -l /usr/local/lib/ruby/gems/2.6.0/gems/passenger-6.0.2/buildout/apache2/mod_passenger.so
-rwxr-xr-x. 1 root root 11651424 Apr  5 09:08 /usr/local/lib/ruby/gems/2.6.0/gems/passenger-6.0.2/buildout/apache2/mod_passenger.so

Log

[Fri Apr 05 10:30:42.302796 2019] [passenger:error] [pid 30207] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog:.
it seems to have been killed with signal SIGABRT during startup
terminate called after throwing an instance of 'Passenger::FileSystemException'
  what():  Cannot stat '/proc/1/environ': Permission denied (errno=13)

Source

 cat ContainerHelpers.h | grep -B 1 "/proc/1"
        if (getuid() == 0) {
                if (fileExists("/proc/1/environ")) {
                        string file = unsafeReadFile("/proc/1/environ");

VirtualHost

    RailsEnv production
    RailsBaseURI /
    PassengerUser name
    PassengerGroup name
    AssignUserId name name
    PassengerFriendlyErrorPages off

All fine in passenger-5.3.1 in same setup.

@CamJN
Copy link
Contributor

@CamJN CamJN commented Apr 5, 2019

@faew as you can see we only read /proc/1 when running as root, do you have SELinux enabled or some other additional software limiting access to /proc even when root?

@faew
Copy link

@faew faew commented Apr 5, 2019

@CamJN
Apache run as root.
But it drop privileges and run as AssignUserId user group for virtualhost with mpm-itk.

SELinux enabled, https://github.com/faew/linux.feature/blob/master/patch/passenger_local.te for passenger-5.3.1. Now audit.log no errors.

@CamJN
Copy link
Contributor

@CamJN CamJN commented Apr 5, 2019

Ok, looks like I can just check the euid instead of uid and it should be fixed.

@oescorza
Copy link

@oescorza oescorza commented Feb 28, 2020

I have a 32bit Gentoo/OpenRC box with version 6.0.1 installed and mod_passenger runs without trouble.
Recently I've got a new 64bit Gentoo/Systemd box, I've tried all versions from 6.0.1 to 6.0.4 with exactly the same settings and I'm getting this very same error message.

@faew
Copy link

@faew faew commented Feb 28, 2020

Try enable proc-stat USE flags for apache.

/etc/portage/package.use
www-servers/apache proc-stat

@oescorza
Copy link

@oescorza oescorza commented Feb 28, 2020

Thanks a lot for the answer.

Just tried to re-emerge apache with that USE flag but nothing changed.
Actually, proc-stat USE flag doesn't seem to be in any apache ebuild within the portage tree (https://packages.gentoo.org/useflags/proc-stat)

@faew
Copy link

@faew faew commented Feb 28, 2020

Check hidepid in /etc/fstab
https://wiki.gentoo.org/wiki/Procfs

@oescorza
Copy link

@oescorza oescorza commented Feb 28, 2020

There is no /proc line in my /etc/fstab, AFAIS procfs is mounted with default settings:
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
And actually, /proc/1 has 0555 permissions, which should mean that my procfs is mounted with hidepid=0

@shimarin
Copy link

@shimarin shimarin commented Jan 6, 2021

@oescorza You need to remove CapabilityBoundingSet line(or to add proper capability flag that I haven't found out which is) from /lib/systemd/system/apache2.service to get apache capable of reading /proc/1/environ.

@g7
Copy link

@g7 g7 commented Feb 26, 2021

Hello,

adding CAP_SYS_PTRACE to CapabilityBoundingSet seems to work here.

Also works as a drop-in without the requirement to edit the apache2.service unit:

mkdir -p /etc/systemd/system/apache2.service.d
cat > /etc/systemd/system/apache2.service.d/10-cap-ptrace.conf <<EOF
[Service]
CapabilityBoundingSet=CAP_SYS_PTRACE
EOF
systemctl daemon-reload
systemctl restart apache2

Note: as pointed by @faew, this is a security hazard so you shouldn't run that in production.

@faew
Copy link

@faew faew commented Feb 26, 2021

CAP_SYS_PTRACE can use for simple Privilege Escalation

@g7
Copy link

@g7 g7 commented Feb 26, 2021

@faew you're correct. It's not a worry in my case, but I should've made that clear. I updated my comment above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants