Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Reco]

Hi.

On Thu, Oct 18, 2018 at 06:11:13AM +0200, steve wrote:
> Le 17-10-2018, à 09:52:06 +0300, Reco a écrit :
> 
> > > > And, finally, /var/log/audit/audit.log if you have auditd installed
> > > > (hint - install it if you don't).
> > > 
> > > grep apache /var/log/audit/audit.log
> > > 
> > > type=AVC msg=audit(1539750555.347:76): apparmor="DENIED" operation="open" 
> > > profile="/usr/sbin/apache2" name="/etc/gai.conf" pid=17485 comm="apache2" 
> > > requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> > > type=SYSCALL msg=audit(1539750555.347:76): arch=c03e syscall=2 
> > > success=no exit=-13 a0=7fe220cac22a a1=8 a2=1b6 a3=8 items=0 
> > > ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" 
> > > exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
> > > type=AVC msg=audit(1539750555.347:77): apparmor="DENIED" operation="open" 
> > > profile="/usr/sbin/apache2" name="/etc/apache2/apache2.conf" pid=17485 
> > > comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> > > type=SYSCALL msg=audit(1539750555.347:77): arch=c03e syscall=2 
> > > success=no exit=-13 a0=7fe2219b6f70 a1=8 a2=1b6 a3=ff7f 
> > > items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 
> > > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" 
> > > exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
> > > type=SERVICE_START msg=audit(1539750555.383:78): pid=1 uid=0 
> > > auid=4294967295 ses=4294967295 subj==unconfined msg='unit=apache2 
> > > comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? 
> > > res=failed'
> > > 
> > > Seems fine to me.
> > 
> > On the contrary. These show that apache2 binary was denied from reading
> > /etc/gai.conf *and* /etc/apache2/apache2.conf by some Mandatory Access
> > Control (audit record type AVC).
> > Since you're using Debian, I suspect AppArmor.
> > 
> > First things first, Apparmor (and any kind of MAC) is a good thing,
> > especially in your typical server environment. They'll suggest you to
> > disable it - don't. Lowering overall security of your OS is not worth
> > it.
> > 
> > Second, Debian does not provide apparmor profiles for apache. Whatever
> > profile is active in your installation is a result of local
> > misconfiguration.
> > 
> > Third, it's fixable. Install apparmor-utils.
> > Invoke 'aa-complain /usr/sbin/apache2'.
> > Start your apache2 service, stop it and start again.
> > Make some GET/PUT requests to it.
> > Invoke 'aa-logprof' and generate Apparmor profile that's uniquely suited
> > for your environment.
> 
> Here, I get
> 
> Reading log entries from /var/log/audit/audit.log.
> Updating AppArmor profiles in /etc/apparmor.d.
> Target profile exists: /etc/apparmor.d/usr.bin.nvidia-modprobe
> 
> Profile:  libreoffice-soffice
> Execute:  /usr/bin/nvidia-modprobe
> Severity: unknown
> 
> (I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny 
> / Abo(r)t / (F)inish
>
> What should I be expected to do?

Skip it, of course - Unconfined.
That one's for libreoffice, and you need that dialog showing something for 
apache.


> Also, aa-status spits out
> 
> apparmor module is loaded.
> 63 profiles are loaded.
...
> 3 processes are in complain mode.
>   /usr/sbin/apache2 (11894)
>   /usr/sbin/apache2 (12019)
>   /usr/sbin/apache2 (12020)
...
> 
> This is rather confusing.

Yet here you have a legitimate Apparmor profile for apache.

> What should I do with this?

Let's try it another way.

pkill -USR1 `pidof auditd`

aa-logprof /usr/sbin/apache2


> > Invoke 'aa-enforce /usr/sbin/apache2', and you're set.
> 
> Profile for /usr/sbin/apache2 not found, skipping
> 
> I guess this is normal since I didn't finish the aa-logprof step.

More or less. aa-status does not lie, your kernel has a profile for
apache.

Reco

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[mick crane]

On 2018-10-18 07:15, steve wrote:

Le 18-10-2018, à 07:07:34 +0100, mick crane a écrit :


On 2018-10-18 05:11, steve wrote:



Still reading on this new thing for me.

Thanks

Steve


I never came across this apparmor.
did you try stopping it with systemctl then see if apache works as 
expected ?


Yes I did and apache failed to start.


does "apachectl configtest" say OK ?

--
Key ID4BFEBB31

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[mick crane]

On 2018-10-18 07:07, mick crane wrote:

On 2018-10-18 05:11, steve wrote:



Still reading on this new thing for me.

Thanks

Steve


I never came across this apparmor.
did you try stopping it with systemctl then see if apache works as 
expected ?


Ah, OK I see you tried that.
Would that not indicate problem is not apparmor ?

mick

--
Key ID4BFEBB31

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[steve]

Le 18-10-2018, à 07:07:34 +0100, mick crane a écrit :


On 2018-10-18 05:11, steve wrote:



Still reading on this new thing for me.

Thanks

Steve


I never came across this apparmor.
did you try stopping it with systemctl then see if apache works as 
expected ?


Yes I did and apache failed to start.

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[mick crane]

On 2018-10-18 05:11, steve wrote:



Still reading on this new thing for me.

Thanks

Steve


I never came across this apparmor.
did you try stopping it with systemctl then see if apache works as 
expected ?


mick

--
Key ID4BFEBB31

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[steve]

Le 17-10-2018, à 09:52:06 +0300, Reco a écrit :


> And, finally, /var/log/audit/audit.log if you have auditd installed
> (hint - install it if you don't).

grep apache /var/log/audit/audit.log

type=AVC msg=audit(1539750555.347:76): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" 
name="/etc/gai.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1539750555.347:76): arch=c03e syscall=2 success=no exit=-13 
a0=7fe220cac22a a1=8 a2=1b6 a3=8 items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" 
exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
type=AVC msg=audit(1539750555.347:77): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" 
name="/etc/apache2/apache2.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1539750555.347:77): arch=c03e syscall=2 success=no exit=-13 
a0=7fe2219b6f70 a1=8 a2=1b6 a3=ff7f items=0 ppid=17482 pid=17485 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) 
key=(null)
type=SERVICE_START msg=audit(1539750555.383:78): pid=1 uid=0 auid=4294967295 ses=4294967295 
subj==unconfined msg='unit=apache2 comm="systemd" exe="/lib/systemd/systemd" 
hostname=? addr=? terminal=? res=failed'

Seems fine to me.


On the contrary. These show that apache2 binary was denied from reading
/etc/gai.conf *and* /etc/apache2/apache2.conf by some Mandatory Access
Control (audit record type AVC).
Since you're using Debian, I suspect AppArmor.

First things first, Apparmor (and any kind of MAC) is a good thing,
especially in your typical server environment. They'll suggest you to
disable it - don't. Lowering overall security of your OS is not worth
it.

Second, Debian does not provide apparmor profiles for apache. Whatever
profile is active in your installation is a result of local
misconfiguration.

Third, it's fixable. Install apparmor-utils.
Invoke 'aa-complain /usr/sbin/apache2'.
Start your apache2 service, stop it and start again.
Make some GET/PUT requests to it.
Invoke 'aa-logprof' and generate Apparmor profile that's uniquely suited
for your environment.


Here, I get

Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Target profile exists: /etc/apparmor.d/usr.bin.nvidia-modprobe

Profile:  libreoffice-soffice
Execute:  /usr/bin/nvidia-modprobe
Severity: unknown

(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / 
Abo(r)t / (F)inish


What should I be expected to do?

Also, aa-status spits out

apparmor module is loaded.
63 profiles are loaded.
22 profiles are in enforce mode.
  /usr/lib/cups/backend/cups-pdf
  /usr/lib/telepathy/mission-control-5
  /usr/lib/telepathy/telepathy-*
  /usr/lib/telepathy/telepathy-*//pxgsettings
  /usr/lib/telepathy/telepathy-*//sanitized_helper
  /usr/lib/telepathy/telepathy-ofono
  /usr/sbin/cups-browsed
  /usr/sbin/cupsd
  /usr/sbin/cupsd//third_party
  /usr/sbin/libvirtd
  /usr/sbin/libvirtd//qemu_bridge_helper
  /usr/sbin/mysqld-akonadi
  /usr/sbin/mysqld-akonadi///usr/sbin/mysqld
  libreoffice-senddoc
  libreoffice-soffice//gpg
  libreoffice-xpdfimport
  thunderbird
  thunderbird//browser_java
  thunderbird//browser_openjdk
  thunderbird//gpg
  thunderbird//sanitized_helper
  virt-aa-helper
41 profiles are in complain mode.
  /usr/bin/nvidia-modprobe
  /usr/lib/dovecot/anvil
  /usr/lib/dovecot/auth
  /usr/lib/dovecot/config
  /usr/lib/dovecot/deliver
  /usr/lib/dovecot/dict
  /usr/lib/dovecot/dovecot-auth
  /usr/lib/dovecot/dovecot-lda
  /usr/lib/dovecot/dovecot-lda///usr/sbin/sendmail
  /usr/lib/dovecot/imap
  /usr/lib/dovecot/imap-login
  /usr/lib/dovecot/lmtp
  /usr/lib/dovecot/log
  /usr/lib/dovecot/managesieve
  /usr/lib/dovecot/managesieve-login
  /usr/lib/dovecot/pop3
  /usr/lib/dovecot/pop3-login
  /usr/lib/dovecot/ssl-params
  /usr/sbin/apache2
  /usr/sbin/apache2//DEFAULT_URI
  /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT
  /usr/sbin/avahi-daemon
  /usr/sbin/dnsmasq
  /usr/sbin/dnsmasq//libvirt_leaseshelper
  /usr/sbin/dovecot
  /usr/sbin/identd
  /usr/sbin/mdnsd
  /usr/sbin/nmbd
  /usr/sbin/nscd
  /usr/sbin/smbd
  /usr/sbin/smbldap-useradd
  /usr/sbin/smbldap-useradd///etc/init.d/nscd
  /usr/{sbin/traceroute,bin/traceroute.db}
  klogd
  libreoffice-oopslash
  libreoffice-soffice
libreoffice-soffice//null-/usr/bin/nvidia-modprobe
  libreoffice-soffice//null-/usr/bin/nvidia-modprobe//null-/bin/kmod
  ping
  syslog-ng
  syslogd
15 processes have profiles defined.
3 processes are in enforce mode.
  /usr/sbin/cups-browsed (25039)
  /usr/sbin/cupsd (25038)
  thunderbird (12250)
3 processes are in complain mode.
  /usr/sbin/apache2 (11894)
  /usr/sbin/apache2 (12019)
  /usr/sbin/apache2 (12020)
9 

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[steve]

Thanks Reco for your input.

I'll have to go trough it, but don't have time right now.


Steve

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[steve]

Le 17-10-2018, à 05:38:11 +, Steve Kemp a écrit :



 To recap you reported the original error:


 apache2: Could not open configuration file /etc/apache2/apache2.conf:
 Permission denied


 Now you've provided more details, from your audit-log:


type=AVC msg=audit(1539750555.347:77): apparmor="DENIED"
operation="open" profile="/usr/sbin/apache2"
name="/etc/apache2/apache2.conf" pid=17485 comm="apache2"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0


 There you see "DENIED" along with "exit=-13".  You can lookup
the meaning of "-13" via this command but I'll guess it correpondes to
EPERM ("permission denied"):

   ausearch --interpret --exit -13

 In conclusion: You're using apparmor, it prevented the process from
opening the configuration file, which stopped the service from starting.
That was logged explicitly :)


Good point. But since I have not explicitly installed apparmor and thus
don't know how to use it (was installed during an update I guess), I
didn't really bothered.


 To fix this either:

   1.  Fix apparmor so that you can open the file.

   2.  Disable apparmor.

 The first might be as simple as `systemctl restart apparmor.service`,
that's working on the basis that:


Didn't work, same error message.


   * You had apparmor installed.
   * You've now just installed apache.


To be correct, I just reinstalled it.

Stopped apparmor then tried to start apache2, but same problem.


   * This will have given you new apparmor rules.
   * But they won't be loaded because apparmor wasn't reloaded.
   * So apache failed.

 I'm not 100% sure if that is the case, but it seems likely.  If not
you'll need to do some reading.  Perhaps start here:

   https://wiki.debian.org/AppArmor


Yeah, I think I'm gonna have to do that.

But I must say it's a bit shitty because "before", all I had to do to
run apache was 'apt install apache2'. Don't understand why this apparmor
thing is screwing my habits…

Thanks for your help and pointers.

Steve

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Reco]

Hi.

On Wed, Oct 17, 2018 at 06:33:09AM +0200, steve wrote:
> Le 16-10-2018, à 09:51:22 +0300, Reco a écrit :
> 
> > Hi.
> > 
> > On Tue, Oct 16, 2018 at 07:31:17AM +0200, steve wrote:
> > > Hi there,
> > > 
> > > Purged and then reinstalled apache2 and when I want to start apache2,
> > > here's what I get:
> > > 
> > > # systemctl status apache2.service
> > > ● apache2.service - The Apache HTTP Server
> > >   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor 
> > > preset: enabled)
> > >   Active: failed (Result: exit-code) since Tue 2018-10-16 07:22:02 CEST; 
> > > 13s ago
> > >  Process: 32122 ExecStart=/usr/sbin/apachectl start (code=exited, 
> > > status=1/FAILURE)
> > > 
> > > oct 16 07:22:01 box systemd[1]: Starting The Apache HTTP Server...
> > > oct 16 07:22:01 box apachectl[32122]: apache2: Could not open 
> > > configuration file /etc/apache2/apache2.conf: Permission denied
> > > oct 16 07:22:02 box apachectl[32122]: Action 'start' failed.
> > > oct 16 07:22:02 box apachectl[32122]: The Apache error log may have more 
> > > information.
> > 
> > So, does the 'Apache error log' have anything useful?
> 
> Nothing. It's empty.

And that, my dear list, shows us that in that particular case systemd
journal is useless. It was expected though, as it's the usual thing with
it - it's able to tell you that something is wrong, but it never tells
you the actual cause of it.


> > > ls -l /etc/apache2/apache2.conf
> > > -rw-r--r-- 1 root root 7224 jun  2 10:01 /etc/apache2/apache2.conf
> > 
> > First things first, it's 'ls -lZ /etc/apache2/apache2.conf'.
> 
> # ls -lZ /etc/apache2/apache2.conf -rw-r--r-- 1 root root ? 7224 jun  2 10:01 
> /etc/apache2/apache2.conf

And that shows us that you aren't using SELinux.


> > Next thing to check is 'ls -ald / /etc /etc/apache2'.
> 
> # ls -ald /etc/apache2
> drwxr-xr-x 8 root root 4096 oct 16 07:21 /etc/apache2

Original command contains three directories, you show just one.
A hint - all three could be important in this case.


> > And, finally, /var/log/audit/audit.log if you have auditd installed
> > (hint - install it if you don't).
> 
> grep apache /var/log/audit/audit.log
> 
> type=AVC msg=audit(1539750555.347:76): apparmor="DENIED" operation="open" 
> profile="/usr/sbin/apache2" name="/etc/gai.conf" pid=17485 comm="apache2" 
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=SYSCALL msg=audit(1539750555.347:76): arch=c03e syscall=2 success=no 
> exit=-13 a0=7fe220cac22a a1=8 a2=1b6 a3=8 items=0 ppid=17482 
> pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" 
> subj==/usr/sbin/apache2 (enforce) key=(null)
> type=AVC msg=audit(1539750555.347:77): apparmor="DENIED" operation="open" 
> profile="/usr/sbin/apache2" name="/etc/apache2/apache2.conf" pid=17485 
> comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=SYSCALL msg=audit(1539750555.347:77): arch=c03e syscall=2 success=no 
> exit=-13 a0=7fe2219b6f70 a1=8 a2=1b6 a3=ff7f items=0 
> ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" 
> exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
> type=SERVICE_START msg=audit(1539750555.383:78): pid=1 uid=0 auid=4294967295 
> ses=4294967295 subj==unconfined msg='unit=apache2 comm="systemd" 
> exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
> 
> Seems fine to me.

On the contrary. These show that apache2 binary was denied from reading
/etc/gai.conf *and* /etc/apache2/apache2.conf by some Mandatory Access
Control (audit record type AVC).
Since you're using Debian, I suspect AppArmor.

First things first, Apparmor (and any kind of MAC) is a good thing,
especially in your typical server environment. They'll suggest you to
disable it - don't. Lowering overall security of your OS is not worth
it.

Second, Debian does not provide apparmor profiles for apache. Whatever
profile is active in your installation is a result of local
misconfiguration.

Third, it's fixable. Install apparmor-utils.
Invoke 'aa-complain /usr/sbin/apache2'.
Start your apache2 service, stop it and start again.
Make some GET/PUT requests to it.
Invoke 'aa-logprof' and generate Apparmor profile that's uniquely suited
for your environment.
Invoke 'aa-enforce /usr/sbin/apache2', and you're set.

Reco

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Steve Kemp]

  To recap you reported the original error:

>  apache2: Could not open configuration file /etc/apache2/apache2.conf:
>  Permission denied

  Now you've provided more details, from your audit-log:

> type=AVC msg=audit(1539750555.347:77): apparmor="DENIED"
> operation="open" profile="/usr/sbin/apache2"
> name="/etc/apache2/apache2.conf" pid=17485 comm="apache2"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  There you see "DENIED" along with "exit=-13".  You can lookup
 the meaning of "-13" via this command but I'll guess it correpondes to
 EPERM ("permission denied"):

ausearch --interpret --exit -13

  In conclusion: You're using apparmor, it prevented the process from
 opening the configuration file, which stopped the service from starting.
 That was logged explicitly :)

  To fix this either:

1.  Fix apparmor so that you can open the file.

2.  Disable apparmor.

  The first might be as simple as `systemctl restart apparmor.service`,
 that's working on the basis that:

* You had apparmor installed.
* You've now just installed apache.
* This will have given you new apparmor rules.
* But they won't be loaded because apparmor wasn't reloaded.
* So apache failed.

  I'm not 100% sure if that is the case, but it seems likely.  If not
 you'll need to do some reading.  Perhaps start here:

https://wiki.debian.org/AppArmor

Steve
-- 

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[steve]

Le 16-10-2018, à 06:39:01 +, Steve Kemp a écrit :



ls -l /etc/apache2/apache2.conf
-rw-r--r-- 1 root root 7224 jun  2 10:01 /etc/apache2/apache2.conf


Getting nuts.


 Probably the permissions on /etc/apache2, or /etc are broken for the
user www-data.


ls -l /etc
drwxr-xr-x 213 root  root  16384 oct 17 06:28

ls -l /etc/apache2
total 80
-rw-r--r-- 1 root root  7224 jun  2 10:01 apache2.conf
drwxr-xr-x 2 root root  4096 oct 16 06:56 conf-available
drwxr-xr-x 2 root root  4096 oct 16 06:57 conf-enabled
-rw-r--r-- 1 root root  1782 avr  5  2018 envvars
-rw-r--r-- 1 root root 31063 sep 19  2017 magic
drwxr-xr-x 2 root root 12288 oct 16 06:57 mods-available
drwxr-xr-x 2 root root  4096 oct 16 06:57 mods-enabled
-rw-r--r-- 1 root root   320 sep 19  2017 ports.conf
drwxr-xr-x 2 root root  4096 oct 16 06:57 sites-available
drwxr-xr-x 2 root root  4096 oct 16 06:57 sites-enabled




 Assuming you have sudo installed you can become "www-data", and test:

   sudo su - www-data -s /bin/sh
   cd /etc/
   cd apache2
   cat apache2.conf


All fine, www-data can read the file.

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[steve]

Le 16-10-2018, à 09:51:22 +0300, Reco a écrit :


Hi.

On Tue, Oct 16, 2018 at 07:31:17AM +0200, steve wrote:

Hi there,

Purged and then reinstalled apache2 and when I want to start apache2,
here's what I get:

# systemctl status apache2.service
● apache2.service - The Apache HTTP Server
  Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: 
enabled)
  Active: failed (Result: exit-code) since Tue 2018-10-16 07:22:02 CEST; 13s ago
 Process: 32122 ExecStart=/usr/sbin/apachectl start (code=exited, 
status=1/FAILURE)

oct 16 07:22:01 box systemd[1]: Starting The Apache HTTP Server...
oct 16 07:22:01 box apachectl[32122]: apache2: Could not open configuration 
file /etc/apache2/apache2.conf: Permission denied
oct 16 07:22:02 box apachectl[32122]: Action 'start' failed.
oct 16 07:22:02 box apachectl[32122]: The Apache error log may have more 
information.


So, does the 'Apache error log' have anything useful?


Nothing. It's empty.



ls -l /etc/apache2/apache2.conf
-rw-r--r-- 1 root root 7224 jun  2 10:01 /etc/apache2/apache2.conf


First things first, it's 'ls -lZ /etc/apache2/apache2.conf'.


# ls -lZ /etc/apache2/apache2.conf 
-rw-r--r-- 1 root root ? 7224 jun  2 10:01 /etc/apache2/apache2.conf



Next thing to check is 'ls -ald / /etc /etc/apache2'.


# ls -ald /etc/apache2
drwxr-xr-x 8 root root 4096 oct 16 07:21 /etc/apache2


And, finally, /var/log/audit/audit.log if you have auditd installed
(hint - install it if you don't).


grep apache /var/log/audit/audit.log

type=AVC msg=audit(1539750555.347:76): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" 
name="/etc/gai.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1539750555.347:76): arch=c03e syscall=2 success=no exit=-13 
a0=7fe220cac22a a1=8 a2=1b6 a3=8 items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" 
exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
type=AVC msg=audit(1539750555.347:77): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" 
name="/etc/apache2/apache2.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1539750555.347:77): arch=c03e syscall=2 success=no exit=-13 
a0=7fe2219b6f70 a1=8 a2=1b6 a3=ff7f items=0 ppid=17482 pid=17485 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) 
key=(null)
type=SERVICE_START msg=audit(1539750555.383:78): pid=1 uid=0 auid=4294967295 ses=4294967295 
subj==unconfined msg='unit=apache2 comm="systemd" exe="/lib/systemd/systemd" 
hostname=? addr=? terminal=? res=failed'


Seems fine to me.


Steve

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[David Wright]

On Tue 16 Oct 2018 at 12:24:49 (-0400), Gene Heskett wrote:
> On Tuesday 16 October 2018 11:37:44 Greg Wooledge wrote:
> 
> > On Tue, Oct 16, 2018 at 11:28:44AM -0400, Gene Heskett wrote:
> > > Since leaving a sudo -i laying about is considered a security
> > > breach, I'm amazed that the -i option doesn't accept a timeout. Say
> > > in seconds, as if you think it will take 5 minutes to do the job as
> > > root, sudo -i300, at the ends of which it expires.
> >
> > You could set the TMOUT variable in the resulting shell, either
> > manually or by a setting in some rc file (e.g. /root/.bashrc if that's
> > what the shell reads).
> 
> Okayyy, TMOUT=30, and 30 seconds later it does time out, returning me to 
> my user prompt.
> 
> And I ran synaptic and it didn't time out till 30 secs after I had quit 
> synaptic which leaves an exploitable hole. Synaptic took way more, than 
> the 30 I set TMOUT to.  Ideally it should have returned to the users 
> prompt at the synaptic exit, or would that leave trash behind?
> 
> Anyway, many thanks for the schooling, Greg. Even after 20 years, I 
> hadn't heard of that before.

Hm, to be honest, TMOUT seems like a historical relic of a bygone era
when using an idle login shell implied that you were hogging a slot
that others were waiting to access. (And when the shell exited, we
neighbouring users would have to endure the motor noise of their
A/KSR 33 until *its* timeout expired.)

If you want a suicidal command that logs you out as soon as you quit,
you could wrap it up as a bash function and put it into root's .bashrc;
something like for example

function aptitude-pop {
aptitude
exit
}

Cheers,
David.

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Gene Heskett]

On Tuesday 16 October 2018 11:37:44 Greg Wooledge wrote:

> On Tue, Oct 16, 2018 at 11:28:44AM -0400, Gene Heskett wrote:
> > Since leaving a sudo -i laying about is considered a security
> > breach, I'm amazed that the -i option doesn't accept a timeout. Say
> > in seconds, as if you think it will take 5 minutes to do the job as
> > root, sudo -i300, at the ends of which it expires.
>
> You could set the TMOUT variable in the resulting shell, either
> manually or by a setting in some rc file (e.g. /root/.bashrc if that's
> what the shell reads).

Okayyy, TMOUT=30, and 30 seconds later it does time out, returning me to 
my user prompt.

And I ran synaptic and it didn't time out till 30 secs after I had quit 
synaptic which leaves an exploitable hole. Synaptic took way more, than 
the 30 I set TMOUT to.  Ideally it should have returned to the users 
prompt at the synaptic exit, or would that leave trash behind?

Anyway, many thanks for the schooling, Greg. Even after 20 years, I 
hadn't heard of that before.

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Gene Heskett]

On Tuesday 16 October 2018 11:37:44 Greg Wooledge wrote:

> On Tue, Oct 16, 2018 at 11:28:44AM -0400, Gene Heskett wrote:
> > Since leaving a sudo -i laying about is considered a security
> > breach, I'm amazed that the -i option doesn't accept a timeout. Say
> > in seconds, as if you think it will take 5 minutes to do the job as
> > root, sudo -i300, at the ends of which it expires.
>
> You could set the TMOUT variable in the resulting shell, either
> manually or by a setting in some rc file (e.g. /root/.bashrc if that's
> what the shell reads).

This would be about as handy as a 2x2 alongside the ear, by making it 
automatic but fixed. On this machine, 10 minutes is a great plenty to 
run synaptic, but on the pi, 20 minutes or more would be needed. So 
whats wrong with the sudo timeout being set at the launch time?  And 
sitting here thinking, thats not a bad idea as you could set a shorter 
time than it takes to do whatever, in the meantime its timed out, so 
whenever that utility gets done, the su has long since timed out, 
leaving no exposure when whatever was launched with root priv's keeps on 
doing what it does. Best of both IMO.

Something to consider, Greg, and thank you.

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Greg Wooledge]

On Tue, Oct 16, 2018 at 11:28:44AM -0400, Gene Heskett wrote:
> Since leaving a sudo -i laying about is considered a security breach, I'm 
> amazed that the -i option doesn't accept a timeout. Say in seconds, as 
> if you think it will take 5 minutes to do the job as root, sudo -i300, 
> at the ends of which it expires.

You could set the TMOUT variable in the resulting shell, either manually
or by a setting in some rc file (e.g. /root/.bashrc if that's what the
shell reads).

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Gene Heskett]

On Tuesday 16 October 2018 05:56:31 Jonathan Dowland wrote:

> On Tue, Oct 16, 2018 at 10:09:39AM +0200, Martin wrote:
> >> sudo su - www-data -s /bin/sh
> >
> >Don't use sudo with su. It is evil.
> >You want to use 'sudo -i' in this case.
>
> Fascism is evil. This is just unnecessary.
>
> (I'm guilty of still typing "sudo su -" via muscle memory even after
> your messages on the subject. I asked a former UNIX sysadmin colleague
> of mine and he does the same. We suspect that it was from our days
> supporting Solaris, and a sudo that did not implement -i.)

Since leaving a sudo -i laying about is considered a security breach, I'm 
amazed that the -i option doesn't accept a timeout. Say in seconds, as 
if you think it will take 5 minutes to do the job as root, sudo -i300, 
at the ends of which it expires.  That makes more sense than 
the "-i"less 1/2 minute of inactivity to me. At least the exposure is 
limited to less time than it takes to refill your caffeine container and 
catch up on the gossip at the water fountain. ;-)

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Martin]

Am 16.10.18 um 11:56 schrieb Jonathan Dowland:
> On Tue, Oct 16, 2018 at 10:09:39AM +0200, Martin wrote:
>>>     sudo su - www-data -s /bin/sh
>>
>> Don't use sudo with su. It is evil.
>> You want to use 'sudo -i' in this case.
> 
> Fascism is evil. This is just unnecessary.

Good point.

> 
> (I'm guilty of still typing "sudo su -" via muscle memory even after
> your messages on the subject. I asked a former UNIX sysadmin colleague
> of mine and he does the same. We suspect that it was from our days
> supporting Solaris, and a sudo that did not implement -i.)

I know. And if I do right, it was not even officially available for Solaris. It 
came from this Sunfreeware site. Which still exists with a sudo version from 
2014.

Cheers on that, old man!!

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Jonathan Dowland]

On Tue, Oct 16, 2018 at 10:09:39AM +0200, Martin wrote:

sudo su - www-data -s /bin/sh


Don't use sudo with su. It is evil.
You want to use 'sudo -i' in this case.


Fascism is evil. This is just unnecessary.

(I'm guilty of still typing "sudo su -" via muscle memory even after
your messages on the subject. I asked a former UNIX sysadmin colleague
of mine and he does the same. We suspect that it was from our days
supporting Solaris, and a sudo that did not implement -i.)

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Joe]

On Tue, 16 Oct 2018 10:06:39 +0200
Martin  wrote:

> Am 16.10.18 um 07:31 schrieb steve:
> > Hi there,
> > 
> > Purged and then reinstalled apache2 and when I want to start
> > apache2, here's what I get:
> > 
> > # systemctl status apache2.service  
> 
> What is your 'id'?
> 
> > ● apache2.service - The Apache HTTP Server
> >   Loaded: loaded (/lib/systemd/system/apache2.service; enabled;
> > vendor preset: enabled) Active: failed (Result: exit-code) since
> > Tue 2018-10-16 07:22:02 CEST; 13s ago Process: 32122
> > ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
> > 
> > oct 16 07:22:01 box systemd[1]: Starting The Apache HTTP Server...
> > oct 16 07:22:01 box apachectl[32122]: apache2: Could not open
> > configuration file /etc/apache2/apache2.conf: Permission denied oct
> > 16 07:22:02 box apachectl[32122]: Action 'start' failed. oct 16
> > 07:22:02 box apachectl[32122]: The Apache error log may have more
> > information. oct 16 07:22:02 box systemd[1]: apache2.service:
> > Control process exited, code=exited status=1 oct 16 07:22:02 box
> > systemd[1]: apache2.service: Failed with result 'exit-code'. oct 16
> > 07:22:02 box systemd[1]: Failed to start The Apache HTTP Server.  
> 
> Do you have any SSLCertificateKeyFile configured? Check permissions
> first, as a normal user can not read those. 
> > 
> > ls -l /etc/apache2/apache2.conf
> > -rw-r--r-- 1 root root 7224 jun  2 10:01 /etc/apache2/apache2.conf

Surely apache2 starts up as root, in order to obtain port 80, and then
drops privilege to www-data? It must read the configuration files while
root, or else it wouldn't know which port(s) it should request.

-- 
Joe

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Martin]

Am 16.10.18 um 08:39 schrieb Steve Kemp:
>>
>> ls -l /etc/apache2/apache2.conf
>> -rw-r--r-- 1 root root 7224 jun  2 10:01 /etc/apache2/apache2.conf
[...]
> sudo su - www-data -s /bin/sh

Don't use sudo with su. It is evil.
You want to use 'sudo -i' in this case.

[...]

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Martin]

Am 16.10.18 um 07:31 schrieb steve:
> Hi there,
> 
> Purged and then reinstalled apache2 and when I want to start apache2,
> here's what I get:
> 
> # systemctl status apache2.service

What is your 'id'?

> ● apache2.service - The Apache HTTP Server
>   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor 
> preset: enabled)
>   Active: failed (Result: exit-code) since Tue 2018-10-16 07:22:02 CEST; 13s 
> ago
>  Process: 32122 ExecStart=/usr/sbin/apachectl start (code=exited, 
> status=1/FAILURE)
> 
> oct 16 07:22:01 box systemd[1]: Starting The Apache HTTP Server...
> oct 16 07:22:01 box apachectl[32122]: apache2: Could not open configuration 
> file /etc/apache2/apache2.conf: Permission denied
> oct 16 07:22:02 box apachectl[32122]: Action 'start' failed.
> oct 16 07:22:02 box apachectl[32122]: The Apache error log may have more 
> information.
> oct 16 07:22:02 box systemd[1]: apache2.service: Control process exited, 
> code=exited status=1
> oct 16 07:22:02 box systemd[1]: apache2.service: Failed with result 
> 'exit-code'.
> oct 16 07:22:02 box systemd[1]: Failed to start The Apache HTTP Server.

Do you have any SSLCertificateKeyFile configured? Check permissions first, as a 
normal user can not read those.
 
> 
> ls -l /etc/apache2/apache2.conf
> -rw-r--r-- 1 root root 7224 jun  2 10:01 /etc/apache2/apache2.conf
> 
> 
> Getting nuts.
> 
> Any ideas?
> 
> Thanks
> 

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Reco]

Hi.

On Tue, Oct 16, 2018 at 07:31:17AM +0200, steve wrote:
> Hi there,
> 
> Purged and then reinstalled apache2 and when I want to start apache2,
> here's what I get:
> 
> # systemctl status apache2.service
> ● apache2.service - The Apache HTTP Server
>   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor 
> preset: enabled)
>   Active: failed (Result: exit-code) since Tue 2018-10-16 07:22:02 CEST; 13s 
> ago
>  Process: 32122 ExecStart=/usr/sbin/apachectl start (code=exited, 
> status=1/FAILURE)
> 
> oct 16 07:22:01 box systemd[1]: Starting The Apache HTTP Server...
> oct 16 07:22:01 box apachectl[32122]: apache2: Could not open configuration 
> file /etc/apache2/apache2.conf: Permission denied
> oct 16 07:22:02 box apachectl[32122]: Action 'start' failed.
> oct 16 07:22:02 box apachectl[32122]: The Apache error log may have more 
> information.

So, does the 'Apache error log' have anything useful?

> ls -l /etc/apache2/apache2.conf
> -rw-r--r-- 1 root root 7224 jun  2 10:01 /etc/apache2/apache2.conf

First things first, it's 'ls -lZ /etc/apache2/apache2.conf'.
Next thing to check is 'ls -ald / /etc /etc/apache2'.
And, finally, /var/log/audit/audit.log if you have auditd installed
(hint - install it if you don't).

Reco

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[Steve Kemp]

> 
> ls -l /etc/apache2/apache2.conf
> -rw-r--r-- 1 root root 7224 jun  2 10:01 /etc/apache2/apache2.conf
> 
> 
> Getting nuts.

  Probably the permissions on /etc/apache2, or /etc are broken for the
 user www-data.

  Assuming you have sudo installed you can become "www-data", and test:

sudo su - www-data -s /bin/sh
cd /etc/
cd apache2
cat apache2.conf

Steve
--