Package: apache2
Version: 2.4.10-10+deb8u4
Severity: important
Tags: patch
Jessie's apache2 SysV init script has two errors which can cause restarts to
fail or cause problems on shutdown.
Issue 1: Race condition in do_stop() and apache_wait_stop()
The do_stop() functions issues an apache2ctl stop/graceful-stop (or a killproc)
and calls apache_wait_stop() afterwards.
apache_wait_stop() tries to gather the current apache2 PID via pidofproc from
the pid file and afterwards checks, if the
process has already terminated (via kill -0). This approach is problematic,
because after receiving SIGTERM (via apache2ctl),
apache2 will remove its PID file in the shutdown process. When reaching the
pidofproc invocation in apache_wait_stop(),
the PID file may have already been removed (by apache2) and the PID of the main
apache process may not be determined
(although the process may yet be actively running). In this case,
apache_wait_stop() will wrongly return with 0, indicating
that the process has been terminated successfully.
In most cases, this is not problematic, because the apache2 process will
terminate shortly after - however in case of
restarts (which will call do_stop() -> do_start()) this may cause apache2 not
being able to start up, because the old
main process is still active and holding resources (like sockets/ports or
possibly locks etc.).
To resolve this, apache2ctl/killproc invocation should be done AFTER
determining apaches main PID. Note that in Wheezys
initscripts, this race condition was not present - this has been introduced
with Jessie.
Issue 2: Logical error in apache_wait_stop()
When waiting for the main PID to terminate, apache_wait_stop() will check every
second, if the process is dead. This
is done for 60 seconds max, after that, the inner loop will break and
presumably should set/return a statuscode of 2, which
it does not, because 'break' is executed before setting the correct return code:
if [ $i = '60' ]; then
break
STATUS=2
fi
This might cause problems in case apache2 cannot be shut down correctly (for
whatever reason).
The following patch should fix the issues mentioned above:
--- apache2.init.org 2015-10-24 10:37:19.000000000 +0200
+++ apache2.init 2016-04-21 14:43:22.380946637 +0200
@@ -139,6 +139,7 @@
apache_wait_stop() {
local STATUS=$1
+ local METH=$2
if [ $STATUS != 0 ] ; then
return $STATUS
@@ -146,11 +147,18 @@
PIDTMP=$(pidofproc -p $PIDFILE $DAEMON)
if [ -n "${PIDTMP:-}" ] && kill -0 "${PIDTMP:-}" 2> /dev/null; then
+
+ if [ "$METH" = "kill" ]; then
+ killproc -p $PIDFILE $DAEMON
+ else
+ $APACHE2CTL $METH > /dev/null 2>&1
+ fi
+
local i=0
while kill -0 "${PIDTMP:-}" 2> /dev/null; do
if [ $i = '60' ]; then
+ STATUS=2
break
- STATUS=2
fi
[ "$VERBOSE" != no ] && log_progress_msg "."
sleep 1
@@ -223,15 +231,13 @@
fi
if [ $AP_RET = 2 ] && apache_conftest ; then
- $APACHE2CTL $STOP > /dev/null 2>&1
- apache_wait_stop $?
+ apache_wait_stop $? $STOP
return $?
else
if [ $AP_RET = 2 ]; then
- clear_error_msg
+ clear_error_msg
APACHE2_INIT_MESSAGE="The apache2$DIR_SUFFIX configtest
failed, so we are trying to kill it manually. This is almost certainly
suboptimal, so please make sure your system is working as you'd expect now!"
- killproc -p $PIDFILE $DAEMON
- apache_wait_stop $?
+ apache_wait_stop $? "kill"
return $?
elif [ $AP_RET = 1 ] ; then
APACHE2_INIT_MESSAGE="There are processes named
'apache2' running which do not match your pid file which are left untouched in
the name of safety, Please review the situation by hand".
-- Package-specific info:
-- System Information:
Debian Release: 8.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apache2 depends on:
ii apache2-bin 2.4.10-10+deb8u4
ii apache2-data 2.4.10-10+deb8u4
ii apache2-utils 2.4.10-10+deb8u4
ii dpkg 1.17.26
ii lsb-base 4.1+Debian13+nmu1
ii mime-support 3.58
ii perl 5.20.2-3+deb8u4
ii procps 2:3.3.9-9
Versions of packages apache2 recommends:
ii ssl-cert 1.0.35
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2-bin depends on:
ii libapr1 1.5.1-3
ii libaprutil1 1.5.4-1
ii libaprutil1-dbd-sqlite3 1.5.4-1
ii libaprutil1-ldap 1.5.4-1
ii libc6 2.19-18+deb8u4
ii libldap-2.4-2 2.4.40+dfsg-1+deb8u2
ii liblua5.1-0 5.1.5-7.1
ii libpcre3 2:8.35-3.3+deb8u4
ii libssl1.0.0 1.0.1k-3+deb8u4
ii libxml2 2.9.1+dfsg1-5+deb8u1
ii perl 5.20.2-3+deb8u4
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2 is related to:
ii apache2 2.4.10-10+deb8u4
ii apache2-bin 2.4.10-10+deb8u4
-- no debconf information
