Test server.pl. Failed to find the GID for the 'httpd' process

Discussion:

Mike Budd

2014-07-16 19:59:06 UTC

Hi Thorsten

My Bugzilla server has been functioning broadly OK (apart from the shutdown
problem we discussed before) for a couple of years, but I was looking to
check security and so ran testserver.pl for the first time.

I got "TEST-WARNING Failed to find the GID for the 'httpd' process, unable

to validate webservergroup."

I also got another error "TEST-WARNING Failed to run gdlib-config; can't
compare GD versions." But I assume they are unrelated so will deal with that
in a different trace if you like.

My localconfig file has $webservergroup = 'www-data';

To check this I did:

[code]

***@ubuntu:/etc/apache2# egrep -iw --color=auto 'user|group'
/etc/apache2/apache2.conf

[/code]

And got

[code]

User ${APACHE_RUN_USER}

Group ${APACHE_RUN_GROUP}

# Include all the user configurations:

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\"" vhost_combined

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\""
combined

LogFormat "%{User-agent}i" agent

[/code]

Then I did:

sudo gedit /etc/apache2/envvars

And confirmed that ${APACHE_RUN_GROUP}='www-data'

So all seems well - and I am not sure why I am getting this error.

I thought maybe that it might be that testserver.pl was looking in
httpd.conf, which does not contain the server group setting? But this line
seems like it should find Apache2.conf

[code]

if ($line =~ /^(?:\S*\/)?(?:httpd|apache)2?\s+(\d+)$/)

[/code]

I think I'm not understanding something..

Kind regards and many thanks in anticipation

Mike

Thorsten Schöning

2014-07-17 06:51:50 UTC

Permalink

Guten Tag Mike Budd,

Post by Mike Budd
I got "TEST-WARNING Failed to find the GID for the 'httpd' process, unable
to validate webservergroup."

[...]

Post by Mike Budd
I thought maybe that it might be that testserver.pl was looking in
httpd.conf, which does not contain the server group setting? But this line
seems like it should find Apache2.conf

It does not check configuration, but uses shell commands instead which
you can manually execute yourself to compare the output. Have a look
Execute all three commands and check their output, compare it to the
regexp used in line 42. For some reason it either can't find the group
in the output or it can't resolve it's name to a number.

Mit freundlichen Grüßen,

Thorsten Schöning
--
Thorsten Schöning E-Mail:***@AM-SoFT.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/

Telefon...........05151- 9468- 55
Fax...............05151- 9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow

Mike Budd

2014-07-17 08:40:37 UTC

Permalink

Thanks Thorsten - mis-guessed what the script meant!

It looks to me like it's the truncation of the names that is causing the
problem? Note it's '/usr/sbin/apach' which is returned

I also note that /usr/sbin/apach sometimes gets a GID of 33 sometimes of
0

And it complains about the ps command syntax in two cases. But these are
probably alternative commands for different Linux versions?

What do you think?

Best wishes

Mike

Console output:

***@ubuntu:/var/www/bugzilla# ps -eo comm,gid
COMMAND GID
init 0
kthreadd 0
ksoftirqd/0 0
migration/0 0
watchdog/0 0
cpuset 0
khelper 0
kdevtmpfs 0
netns 0
sync_supers 0
bdi-default 0
kintegrityd 0
kblockd 0
ata_sff 0
khubd 0
md 0
kworker/u:1 0
khungtaskd 0
kswapd0 0
ksmd 0
khugepaged 0
fsnotify_mark 0
ecryptfs-kthrea 0
crypto 0
kthrotld 0
scsi_eh_0 0
scsi_eh_1 0
kworker/u:2 0
devfreq_wq 0
mpt_poll_0 0
mpt/0 0
scsi_eh_2 0
jbd2/sda1-8 0
ext4-dio-unwrit 0
upstart-udev-br 0
udevd 0
ttm_swap 0
udevd 0
udevd 0
kpsmoused 0
upstart-socket- 0
smbd 0
dbus-daemon 107
smbd 0
modem-manager 0
bluetoothd 0
NetworkManager 0
rsyslogd 103
cupsd 0
avahi-daemon 113
avahi-daemon 113
polkitd 0
colord 105
getty 0
getty 0
krfcommd 0
getty 0
getty 0
dhclient 0
getty 0
acpid 0
lightdm 0
whoopsie 129
mysqld 126
cron 0
atd 1
Xorg 0
/usr/sbin/apach 0
lightdm 0
accounts-daemon 0
dnsmasq 30
exim4 127
tpvmlp 0
flush-8:0 0
vmware-vmblock- 0
vmtoolsd 0
nmbd 0
console-kit-dae 0
miniserv.pl 0
gnome-session 1000
ssh-agent 1000
dbus-launch 1000
dbus-daemon 1000
gvfsd 1000
gvfs-fuse-daemo 1000
gnome-settings- 1000
gnome-keyring-d 1000
upowerd 0
metacity 1000
gconfd-2 1000
unity-2d-shell 1000
unity-2d-panel 1000
pulseaudio 1000
rtkit-daemon 122
gnome-fallback- 1000
bluetooth-apple 1000
polkit-gnome-au 1000
nautilus 1000
vmtoolsd 1000
nm-applet 1000
gconf-helper 1000
bamfdaemon 1000
gvfs-gdu-volume 1000
udisks-daemon 0
udisks-daemon 0
gvfs-gphoto2-vo 1000
gvfs-afc-volume 1000
/etc/rc2.d/S20j 0
sh 0
logger 0
winbindd 0
getty 0
unity-panel-ser 1000
dconf-service 1000
indicator-datet 1000
indicator-messa 1000
indicator-print 1000
indicator-sessi 1000
indicator-sound 1000
indicator-appli 1000
geoclue-master 1000
gvfsd-trash 1000
ubuntu-geoip-pr 1000
gvfsd-burn 1000
winbindd 0
gvfsd-metadata 1000
hud-service 1000
unity-music-dae 1000
unity-files-dae 1000
unity-lens-vide 1000
unity-applicati 1000
sudo 0
/var/www/bugzil 0
gdu-notificatio 1000
telepathy-indic 1000
mission-control 1000
zeitgeist-datah 1000
zeitgeist-daemo 1000
gnome-screensav 1000
goa-daemon 1000
zeitgeist-fts 1000
unity-musicstor 1000
cat 1000
unity-scope-vid 1000
update-notifier 1000
system-service- 0
deja-dup-monito 1000
winbindd 0
winbindd 0
gnome-terminal 1000
gnome-pty-helpe 43
bash 1000
su 0
bash 0
/usr/sbin/apach 33
/usr/sbin/apach 33
/usr/sbin/apach 33
dbus 7
kworker/0:2 0
kworker/0:1 0
kworker/0:0 0
ps 0
dbus-launch 0
dbus-daemon 0
dconf-service 0

***@ubuntu:/var/www/bugzilla# ps -acxo command,gid
Warning: bad ps syntax, perhaps a bogus '-'? See
http://procps.sf.net/faq.html
COMMAND GID
init 0
kthreadd 0
ksoftirqd/0 0
migration/0 0
watchdog/0 0
cpuset 0
khelper 0
kdevtmpfs 0
netns 0
sync_supers 0
bdi-default 0
kintegrityd 0
kblockd 0
ata_sff 0
khubd 0
md 0
kworker/u:1 0
khungtaskd 0
kswapd0 0
ksmd 0
khugepaged 0
fsnotify_mark 0
ecryptfs-kthrea 0
crypto 0
kthrotld 0
scsi_eh_0 0
scsi_eh_1 0
kworker/u:2 0
devfreq_wq 0
mpt_poll_0 0
mpt/0 0
scsi_eh_2 0
jbd2/sda1-8 0
ext4-dio-unwrit 0
upstart-udev-br 0
udevd 0
ttm_swap 0
udevd 0
udevd 0
kpsmoused 0
upstart-socket- 0
smbd 0
dbus-daemon 107
smbd 0
modem-manager 0
bluetoothd 0
NetworkManager 0
rsyslogd 103
cupsd 0
avahi-daemon 113
avahi-daemon 113
polkitd 0
colord 105
getty 0
getty 0
krfcommd 0
getty 0
getty 0
dhclient 0
getty 0
acpid 0
lightdm 0
whoopsie 129
mysqld 126
cron 0
atd 1
Xorg 0
/usr/sbin/apach 0
lightdm 0
accounts-daemon 0
dnsmasq 30
exim4 127
tpvmlp 0
flush-8:0 0
vmware-vmblock- 0
vmtoolsd 0
nmbd 0
console-kit-dae 0
miniserv.pl 0
gnome-session 1000
ssh-agent 1000
dbus-launch 1000
dbus-daemon 1000
gvfsd 1000
gvfs-fuse-daemo 1000
gnome-settings- 1000
gnome-keyring-d 1000
upowerd 0
metacity 1000
gconfd-2 1000
unity-2d-shell 1000
unity-2d-panel 1000
pulseaudio 1000
rtkit-daemon 122
gnome-fallback- 1000
bluetooth-apple 1000
polkit-gnome-au 1000
nautilus 1000
vmtoolsd 1000
nm-applet 1000
gconf-helper 1000
bamfdaemon 1000
gvfs-gdu-volume 1000
udisks-daemon 0
udisks-daemon 0
gvfs-gphoto2-vo 1000
gvfs-afc-volume 1000
/etc/rc2.d/S20j 0
sh 0
logger 0
winbindd 0
getty 0
unity-panel-ser 1000
dconf-service 1000
indicator-datet 1000
indicator-messa 1000
indicator-print 1000
indicator-sessi 1000
indicator-sound 1000
indicator-appli 1000
geoclue-master 1000
gvfsd-trash 1000
ubuntu-geoip-pr 1000
gvfsd-burn 1000
winbindd 0
gvfsd-metadata 1000
hud-service 1000
unity-music-dae 1000
unity-files-dae 1000
unity-lens-vide 1000
unity-applicati 1000
sudo 0
/var/www/bugzil 0
gdu-notificatio 1000
telepathy-indic 1000
mission-control 1000
zeitgeist-datah 1000
zeitgeist-daemo 1000
gnome-screensav 1000
goa-daemon 1000
zeitgeist-fts 1000
unity-musicstor 1000
cat 1000
unity-scope-vid 1000
update-notifier 1000
system-service- 0
deja-dup-monito 1000
winbindd 0
winbindd 0
gnome-terminal 1000
gnome-pty-helpe 43
bash 1000
su 0
bash 0
/usr/sbin/apach 33
/usr/sbin/apach 33
/usr/sbin/apach 33
dbus 7
kworker/0:2 0
kworker/0:1 0
kworker/0:0 0
ps 0
dbus-launch 0
dbus-daemon 0
dconf-service 0

***@ubuntu:/var/www/bugzilla# ps -acxo command,rgid
Warning: bad ps syntax, perhaps a bogus '-'? See
http://procps.sf.net/faq.html
COMMAND RGID
init 0
kthreadd 0
ksoftirqd/0 0
migration/0 0
watchdog/0 0
cpuset 0
khelper 0
kdevtmpfs 0
netns 0
sync_supers 0
bdi-default 0
kintegrityd 0
kblockd 0
ata_sff 0
khubd 0
md 0
kworker/u:1 0
khungtaskd 0
kswapd0 0
ksmd 0
khugepaged 0
fsnotify_mark 0
ecryptfs-kthrea 0
crypto 0
kthrotld 0
scsi_eh_0 0
scsi_eh_1 0
kworker/u:2 0
devfreq_wq 0
mpt_poll_0 0
mpt/0 0
scsi_eh_2 0
jbd2/sda1-8 0
ext4-dio-unwrit 0
upstart-udev-br 0
udevd 0
ttm_swap 0
udevd 0
udevd 0
kpsmoused 0
upstart-socket- 0
smbd 0
dbus-daemon 107
smbd 0
modem-manager 0
bluetoothd 0
NetworkManager 0
rsyslogd 103
cupsd 0
avahi-daemon 113
avahi-daemon 113
polkitd 0
colord 105
getty 0
getty 0
krfcommd 0
getty 0
getty 0
dhclient 0
getty 0
acpid 0
lightdm 0
whoopsie 129
mysqld 126
cron 0
atd 0
Xorg 0
/usr/sbin/apach 0
lightdm 0
accounts-daemon 0
dnsmasq 30
exim4 127
tpvmlp 0
flush-8:0 0
vmware-vmblock- 0
vmtoolsd 0
nmbd 0
console-kit-dae 0
miniserv.pl 0
gnome-session 1000
ssh-agent 1000
dbus-launch 1000
dbus-daemon 1000
gvfsd 1000
gvfs-fuse-daemo 1000
gnome-settings- 1000
gnome-keyring-d 1000
upowerd 0
metacity 1000
gconfd-2 1000
unity-2d-shell 1000
unity-2d-panel 1000
pulseaudio 1000
rtkit-daemon 122
gnome-fallback- 1000
bluetooth-apple 1000
polkit-gnome-au 1000
nautilus 1000
vmtoolsd 1000
nm-applet 1000
gconf-helper 1000
bamfdaemon 1000
gvfs-gdu-volume 1000
udisks-daemon 0
udisks-daemon 0
gvfs-gphoto2-vo 1000
gvfs-afc-volume 1000
/etc/rc2.d/S20j 0
sh 0
logger 0
winbindd 0
getty 0
unity-panel-ser 1000
dconf-service 1000
indicator-datet 1000
indicator-messa 1000
indicator-print 1000
indicator-sessi 1000
indicator-sound 1000
indicator-appli 1000
geoclue-master 1000
gvfsd-trash 1000
ubuntu-geoip-pr 1000
gvfsd-burn 1000
winbindd 0
gvfsd-metadata 1000
hud-service 1000
unity-music-dae 1000
unity-files-dae 1000
unity-lens-vide 1000
unity-applicati 1000
sudo 0
/var/www/bugzil 0
gdu-notificatio 1000
telepathy-indic 1000
mission-control 1000
zeitgeist-datah 1000
zeitgeist-daemo 1000
gnome-screensav 1000
goa-daemon 1000
zeitgeist-fts 1000
unity-musicstor 1000
cat 1000
unity-scope-vid 1000
update-notifier 1000
system-service- 0
deja-dup-monito 1000
winbindd 0
winbindd 0
gnome-terminal 1000
gnome-pty-helpe 1000
bash 1000
su 0
bash 0
/usr/sbin/apach 33
/usr/sbin/apach 33
/usr/sbin/apach 33
dbus 7
kworker/0:2 0
kworker/0:1 0
kworker/0:0 0
/usr/share/webm <defunct> 0
ps 0
dbus-launch 0
dbus-daemon 0
dconf-service 0

-----Original Message-----
From: support-bugzilla
[mailto:support-bugzilla-bounces+mike=***@lists.mozilla.org]
On Behalf Of Thorsten Schöning
Sent: 17 July 2014 07:52
To: support-***@lists.mozilla.org
Subject: Re: Test server.pl. Failed to find the GID for the 'httpd' process

Guten Tag Mike Budd,

Post by Mike Budd
I got "TEST-WARNING Failed to find the GID for the 'httpd' process,
unable to validate webservergroup."

[...]

It does not check configuration, but uses shell commands instead which you
can manually execute yourself to compare the output. Have a look at line 36

Post by Mike Budd
command,rgid');

Execute all three commands and check their output, compare it to the regexp
used in line 42. For some reason it either can't find the group in the
output or it can't resolve it's name to a number.

Mit freundlichen Grüßen,

Thorsten Schöning

--
Thorsten Schöning E-Mail:***@AM-SoFT.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/

Telefon...........05151- 9468- 55
Fax...............05151- 9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB
207 694 - Geschäftsführer: Andreas Muchow

_______________________________________________
support-bugzilla mailing list
support-***@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put support-***@lists.mozilla.org in the To: field when you
reply.

Thorsten Schöning

2014-07-17 09:11:03 UTC

Permalink

Guten Tag Mike Budd,

Post by Mike Budd
It looks to me like it's the truncation of the names that is causing the
problem? Note it's '/usr/sbin/apach' which is returned

Yes, I get the same outputs for my Ubuntu 12.04. LTS and testserver.pl
prints the same message like yours.

Post by Mike Budd
I also note that /usr/sbin/apach sometimes gets a GID of 33 sometimes of 0

I guess 0 is the root process and the others with 33 are forked workers
with dropped permissions. But that shouldn't be a problem because
testserver.pl seems to only take the highest found group id.

Post by Mike Budd
What do you think?

Mike Budd

2014-07-17 09:40:27 UTC

Permalink

Yes that all makes sense to me, thanks very much Thorsten, I will report a
bug.

I understand that failure of this test may indicate that checksetup.pl will
not be able to set as secure access permissions as it should do.

That's why I was running it really.

Presumably checksetup.pl uses a similar test, and therefore does not set
secure access permissions on Ubuntu 12.04?

(I have not seen any such problem indicated when running it though, but it's
possible I missed it I guess.)

ls -l in the Bugzilla directory gives this output for all Bugzilla program
and config files inc localconfig, though the single letter attributes at the
start vary greatly.

[code]
-rw-r----- 1 root www-data 5106 Jul 22 2013 localconfig
[/code]

I can send the full output for the directory if you wish.

Many thanks again

Best wishes

Mike

-----Original Message-----
From: support-bugzilla
[mailto:support-bugzilla-bounces+mike=***@lists.mozilla.org]
On Behalf Of Thorsten Schöning
Sent: 17 July 2014 10:11
To: support-***@lists.mozilla.org
Subject: Re: Test server.pl. Failed to find the GID for the 'httpd' process

Guten Tag Mike Budd,

Post by Mike Budd
It looks to me like it's the truncation of the names that is causing
the problem? Note it's '/usr/sbin/apach' which is returned

Yes, I get the same outputs for my Ubuntu 12.04. LTS and testserver.pl
prints the same message like yours.

Post by Mike Budd
I also note that /usr/sbin/apach sometimes gets a GID of 33 sometimes of 0

I guess 0 is the root process and the others with 33 are forked workers with
dropped permissions. But that shouldn't be a problem because testserver.pl
seems to only take the highest found group id.

Post by Mike Budd
What do you think?

I suggest filing a bug about your findings, the reg could be easily adopted
if the devs decide that "apach" is save enough.

http://www.bugzilla.org/developers/reporting_bugs.html

Mit freundlichen Grüßen,

Thorsten Schöning

--
Thorsten Schöning E-Mail:***@AM-SoFT.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/

Telefon...........05151- 9468- 55
Fax...............05151- 9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB
207 694 - Geschäftsführer: Andreas Muchow

_______________________________________________
support-bugzilla mailing list
support-***@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put support-***@lists.mozilla.org in the To: field when you
reply.

Thorsten Schöning

2014-07-17 09:53:01 UTC

Permalink

Guten Tag Mike Budd,

Post by Mike Budd
Presumably checksetup.pl uses a similar test, and therefore does not set
secure access permissions on Ubuntu 12.04?

No, checksetup.pl doesn't need to retrieve groups or users from
somewhere somehow, it just uses what you configured and that works or
fails, in the latter case it would tell you about it.

Mit freundlichen Grüßen,

Thorsten Schöning
--
Thorsten Schöning E-Mail:***@AM-SoFT.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/

Telefon...........05151- 9468- 55
Fax...............05151- 9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow