Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot open '/proc/1/environ' for reading #2168

Closed
greenius opened this issue Jan 24, 2019 · 4 comments

Comments

Projects
None yet
4 participants
@greenius
Copy link

commented Jan 24, 2019

Passenger 6.0.1 will not start in Apache on my Gentoo Linux System.

[Thu Jan 24 10:43:57.606465 2019] [mpm_event:notice] [pid 1143:tid 140664593635200] AH00492: caught SIGWINCH, shutting down gracefully
terminate called after throwing an instance of 'Passenger::FileSystemException'
  what():  Cannot open '/proc/1/environ' for reading: Permission denied (errno=13)
[Thu Jan 24 10:44:11.925474 2019] [passenger:error] [pid 9229:tid 140218461935488] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have been killed with signal SIGABRT during startup
terminate called after throwing an instance of 'Passenger::FileSystemException'
  what():  Cannot open '/proc/1/environ' for reading: Permission denied (errno=13)

This looks like it is caused by commit 2165cb3 to fix issue #2143.

On my machine /proc/1/environ is read only by root, so can not be read by passenger which is running as a different user (using PassengerUser and PassengerGroup Apache configuration)

$ ls -l /proc/1/environ
-r-------- 1 root root 0 Jan 24 13:15 /proc/1/environ

unsafeReadFile() then throws a FileSystemException.

@faew

This comment has been minimized.

Copy link

commented Apr 5, 2019

Module

ls -l /usr/local/lib/ruby/gems/2.6.0/gems/passenger-6.0.2/buildout/apache2/mod_passenger.so
-rwxr-xr-x. 1 root root 11651424 Apr  5 09:08 /usr/local/lib/ruby/gems/2.6.0/gems/passenger-6.0.2/buildout/apache2/mod_passenger.so

Log

[Fri Apr 05 10:30:42.302796 2019] [passenger:error] [pid 30207] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog:.
it seems to have been killed with signal SIGABRT during startup
terminate called after throwing an instance of 'Passenger::FileSystemException'
  what():  Cannot stat '/proc/1/environ': Permission denied (errno=13)

Source

 cat ContainerHelpers.h | grep -B 1 "/proc/1"
        if (getuid() == 0) {
                if (fileExists("/proc/1/environ")) {
                        string file = unsafeReadFile("/proc/1/environ");

VirtualHost

    RailsEnv production
    RailsBaseURI /
    PassengerUser name
    PassengerGroup name
    AssignUserId name name
    PassengerFriendlyErrorPages off

All fine in passenger-5.3.1 in same setup.

@CamJN

This comment has been minimized.

Copy link
Contributor

commented Apr 5, 2019

@faew as you can see we only read /proc/1 when running as root, do you have SELinux enabled or some other additional software limiting access to /proc even when root?

@faew

This comment has been minimized.

Copy link

commented Apr 5, 2019

@CamJN
Apache run as root.
But it drop privileges and run as AssignUserId user group for virtualhost with mpm-itk.

SELinux enabled, https://github.com/faew/linux.feature/blob/master/patch/passenger_local.te for passenger-5.3.1. Now audit.log no errors.

@CamJN

This comment has been minimized.

Copy link
Contributor

commented Apr 5, 2019

Ok, looks like I can just check the euid instead of uid and it should be fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.