apache2 apache-htcacheclean do not source /etc/default/apache-htcacheclean

Bug #1691495 reported by Baptiste Lafontaine on 2017-05-17
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
High
Unassigned

Bug Description

Hi,

On ubuntu 16.04.2, with 2.4.18-2ubuntu3.2

Apache2 apache-htcache clean service init script define some config values:

# Default values. Edit /etc/default/apache-htcacheclean to change these
HTCACHECLEAN_SIZE="${HTCACHECLEAN_SIZE:=300M}"
HTCACHECLEAN_DAEMON_INTERVAL="${HTCACHECLEAN_DAEMON_INTERVAL:=120}"
HTCACHECLEAN_PATH="${HTCACHECLEAN_PATH:=/var/cache/apache2$DIR_SUFFIX/mod_cache_disk}"
HTCACHECLEAN_OPTIONS="${HTCACHECLEAN_OPTIONS:=-n}"

But the file /etc/default/apache-htcacheclean is not sourced in the file, so any change to the default configuration is not possible.

Adding ". /etc/default/apache-htcacheclean" just before allows to change the values.

CVE References

Joshua Powers (powersj) wrote :

Hi and thanks for the bug report.

Can you state more clearly what files you are editing? I am not sure I followed each step you took; for example, where did you add ". /etc/default/apache-htcacheclean" to?

If I look at /etc/cron.daily/apache2 it has that command already.

Changed in apache2 (Ubuntu):
status: New → Incomplete
Baptiste Lafontaine (magnetik) wrote :

Sorry it was indeed not clear.

It is the file /etc/init.d/apache-htaccess that should (IMO) source the /etc/default/apache-htcacheclean file.

Joshua Powers (powersj) wrote :

Thanks for the clarification!

Changed in apache2 (Ubuntu):
status: Incomplete → Confirmed
importance: Undecided → High
Rene Fragoso (ctrlrsf) wrote :

Actually what looks to be happening is that /etc/default/apache-htcacheclean is being included/sourced after DAEMON_ARGS has already been set. The init script sets some HTCACHECLEAN_* variables, then DAEMON_ARGS, and then eventually /etc/default/apache-htcacheclean is sourced. However, DAEMON_ARGS is never reset using the newly sourced ENV vars so they're never used (see bash -x debug output below).

As a workaround, instead of changing init script, you can also add DAEMON_ARGS to bottom of your /etc/default/apache-htcacheclean. Here's my DAEMON_ARGS, which I took directly from the init script:

DAEMON_ARGS="$HTCACHECLEAN_OPTIONS \
    -d$HTCACHECLEAN_DAEMON_INTERVAL \
    -P$PIDFILE -i \
    -p$HTCACHECLEAN_PATH \
    -l$HTCACHECLEAN_SIZE"

Snippet of bash -x /etc/init.d/apache-htcacheclean start:
...
+++ HTCACHECLEAN_SIZE=300M
+++ HTCACHECLEAN_DAEMON_INTERVAL=120
+++ HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk
+++ HTCACHECLEAN_OPTIONS=-n
+++ PIDDIR=/var/run/apache2/www-data
+++ PIDFILE=/var/run/apache2/www-data/apache-htcacheclean.pid
+++ DAEMON_ARGS='-n -d120 -P/var/run/apache2/www-data/apache-htcacheclean.pid -i -p/var/cache/apache2/mod_cache_disk -l300M'
++ NAME=apache-htcacheclean
++ DESC='Apache htcacheclean'
++ '[' none = /var/run/apache2/www-data/apache-htcacheclean.pid ']'
++ '[' -z /var/run/apache2/www-data/apache-htcacheclean.pid ']'
++ '[' none '!=' /usr/bin/htcacheclean ']'
++ '[' '!' -x /usr/bin/htcacheclean ']'
++ '[' -r /etc/default/apache-htcacheclean ']'
++ . /etc/default/apache-htcacheclean
+++ HTCACHECLEAN_MODE=daemon
+++ HTCACHECLEAN_SIZE=64M
+++ HTCACHECLEAN_DAEMON_INTERVAL=15
+++ HTCACHECLEAN_PATH=/dev/shm/htcache
+++ HTCACHECLEAN_OPTIONS=-n
++ . /lib/init/vars.sh
+++ TMPTIME=0
...
...
++ echo ' * Starting Apache htcacheclean' apache-htcacheclean
 * Starting Apache htcacheclean apache-htcacheclean
++ COL=
++ call do_start_cmd
++ cmd=do_start_cmd
++ shift
++ is_call_implemented do_start_cmd_override
++ command -V do_start_cmd_override
++ do_start_cmd_override
++ start-stop-daemon --start --quiet --pidfile /var/run/apache2/www-data/apache-htcacheclean.pid -u www-data --startas /usr/bin/htcacheclean --name htcacheclean --test

(DAEMON_ARGS is never changed and it has the arguments to start the daemon)

$ dpkg -l | grep apache2
ii apache2 2.4.18-2ubuntu3.4 amd64 Apache HTTP Server
ii apache2-bin 2.4.18-2ubuntu3.4 amd64 Apache HTTP Server (modules and other binary files)
ii apache2-data 2.4.18-2ubuntu3.4 all Apache HTTP Server (common files)
ii apache2-utils 2.4.18-2ubuntu3.4 amd64 Apache HTTP Server (utility programs for web servers)

Launchpad Janitor (janitor) wrote :
Download full text (3.7 KiB)

This bug was fixed in the package apache2 - 2.4.29-1ubuntu1

---------------
apache2 (2.4.29-1ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - debian/{control, apache2.install, apache2-utils.ufw.profile,
      apache2.dirs}: Add ufw profiles.
    - debian/apache2.py, debian/apache2-bin.install: Add apport hook.
    - debian/patches/086_svn_cross_compiles: Backport several cross
      fixes from upstream
    - d/index.html, d/icons/ubuntu-logo.png, d/apache2.postrm: replace
      Debian with Ubuntu on default page.
      + d/source/include-binaries: add Ubuntu icon file
    - Correct systemd-sysv-generator behavior by customizing some
      parameters:
      + d/apache2-systemd.conf: add a drop-in file to specify some
        parameters for the systemd unit (type=Forking and
        RemainsAfterExit=no), this allow a correct state synchronisation
        between systemctl status and actual state of apache2 daemon.
      + d/apache2.install: place the apache2-systemd.conf file in the
        correct location.
    - Don't build http2 module (nghttp2 still not in main) (LP 1687454)
      + debian/control: removed libnghttp2-dev Build-Depends (in universe).
      + debian/config-dir/mods-available/http2.load: removed.
      + debian/rules: removed proxy_http2 from configure.
  * Switch back to OpenSSL 1.0 as we don't yet have 1.1:
    - debian/control: switch BuildDepends to libssl1.0-dev
    - debian/control: remove Breaks on gridsite and libapache2-mod-dacs
    - debian/rules: remove openssl virtual package and logic

apache2 (2.4.29-1) unstable; urgency=medium

  [ Stefan Fritsch ]
  * Replace outdated dependency on dh-systemd

  [ Ondřej Surý ]
  * New upstream version 2.4.29
  * Refresh quilt patches
  * Add mod_ssl_md patch needed for libapache2-mod-md (Closes: #877343)
  * Refresh patches on top of upstream release 2.4.29
  * Fix Apache crash on restarts (ASF Bug 61558)
  * Add deconfigure to the list of recognized scripts (Closes: #877524)

apache2 (2.4.27-6) unstable; urgency=high

  * CVE-2017-9798: Don't allow new methods to be registered in .htaccess files
    which could result in HTTP OPTIONS method leaking Apache's server memory.
    Closes: #876109
  * Fix argument escaping in apachectl. Closes: #876384

apache2 (2.4.27-5) unstable; urgency=medium

  * Upload to unstable.
  * Update "Breaks:" for openssl transition.
  * Bump Standards-Version to 4.1.0. No changes needed.

apache2 (2.4.27-4) experimental; urgency=medium

  * Use 'invoke-rc.d' instead of init script in logrotate script.
    Closes: #857607
  * Make the apache-htcacheclean init script actually look into
    /etc/default/apache-htcacheclean for its config. LP: #1691495
  * mime.conf: Guard AddOutputFilter INCLUDES with proper <IfModule>.
    LP: #1675184
  * Use 'service' instead of init script in monit example config.
  * Bump Standards-Version to 4.0.1. Other changes:
    - change package priorities from extra to optional
  * Use libprotocol-http2-perl in autopkgtest.
  * Update test suite to svn r1804214.
  * Various tweaks to the test suite autopkgtest to avoid having to skip
    any test.
  * Also remove -DBUILD_DATETIME an...

Read more...

Changed in apache2 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers