Re: Problem Configuring httpd 2.4 to allow expired client certficates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have since found this link:

https://stackoverflow.com/questions/72020602/how-to-set-ld-preload-in-systemd

The difficulties getting LD_PRELOAD to work with systemd is discussed there, and it said the wrapper approach was the solution. I had already tried the other approaches discussed, with no success. Moreover, the wrapper I created did not work either. For AL2023 the default installed httpd service file is at /usr/lib/systemd/system/httpd.service , which has:

ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND

and it also has a comment to use 'systemctl edit httpd' to override contents (i.e. don't edit directly). I used the edit command to override the ExecStart and it created a file /etc/systemd/system/httpd.service.d/override.conf , which contains the single line to use the wrapper script:

ExecStart=/etc/httpd/conf/files/ExecStart.sh

Which has the contents:

$ cat /etc/httpd/conf/files/ExecStart.sh
#!/bin/sh
LD_PRELOAD=mysslverify.so /usr/sbin/httpd $OPTIONS -DFOREGROUND

Where mysslverify.so is installed in the standard location:

$ ls -l /usr/lib64/mysslverify.so
-rwxr-xr-x. 1 root root 16088 Aug 13 18:05 /usr/lib64/mysslverify.so

With these changes, the restart commands were done:

systemctl daemon-reload
systemctl stop httpd
systemctl start httpd

In this case, it appears the wrapper was never even executed. When I try to examine the ExecStart service directives, it shows two:

[root@Dev-Files-2023 httpd.service.d]$ systemctl cat httpd | grep ExecStart
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecStart=/etc/httpd/conf/files/ExecStart.sh

I can also tell that the LD_PRELOAD configuration had no impact because the share library is not found in the proc map:

$ cat /proc/405099/maps | grep myverifyssl | wc -l
0

So it appears as if only the first ExecStart listed from the original service file is being used.

Note that setting LD_PRELOAD via the environment directive has some impact:

Environment="LD_PRELOAD=/usr/lib64/mysslverify.so"

As can be seen by this example: 

$ cat /proc/405546/maps | grep mysslverify
7ff5daca5000-7ff5daca6000 r--p 00000000 103:01 8523479                   /usr/lib64/mysslverify.so
7ff5daca6000-7ff5daca7000 r-xp 00001000 103:01 8523479                   /usr/lib64/mysslverify.so
7ff5daca7000-7ff5daca8000 r--p 00002000 103:01 8523479                   /usr/lib64/mysslverify.so
7ff5daca8000-7ff5daca9000 r--p 00002000 103:01 8523479                   /usr/lib64/mysslverify.so
7ff5daca9000-7ff5dacaa000 rw-p 00003000 103:01 8523479                   /usr/lib64/mysslverify.so

However, the library is not being "preloaded", e.g. loaded before other libs. The map output shows mysslverify.so with a larger address than the standard OpenSSL libraries, which per the stack overflow link at the start of this email says it will not be executed.

If I disregard the edit comment in the default httpd service file and edit it directly to call the wrapper with ExecStart, attempts to start httpd result in timeout:

$ systemctl start httpd
Job for httpd.service failed because a timeout was exceeded.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.

The start command was hung for a while before timeout, and the following httpd processes existed:

$ ps aux | grep httpd
root      403591  0.0  0.0 234280  6024 pts/3    S+   20:53   0:00 systemctl start httpd
root      403594  0.0  0.0  13348  3176 ?        Ss   20:53   0:00 /bin/sh /etc/httpd/conf/files/ExecStart.sh
root      403596  0.7  0.1  35256 15252 ?        S    20:53   0:00 /usr/sbin/httpd -DFOREGROUND
apache    403639  0.0  0.0  46212  5176 ?        S    20:53   0:00 /usr/sbin/httpd -DFOREGROUND
apache    403641  0.0  0.1 1736832 8660 ?        Sl   20:53   0:00 /usr/sbin/httpd -DFOREGROUND
apache    403642  0.0  0.1 1572928 8660 ?        Sl   20:53   0:00 /usr/sbin/httpd -DFOREGROUND
apache    403644  0.0  0.1 1572928 8660 ?        Sl   20:53   0:00 /usr/sbin/httpd -DFOREGROUND
root      403829  0.0  0.0 222312  2176 pts/5    S+   20:53   0:00 grep --color=auto httpd

The journalctl command to show details, simply shows a bunch of lines:

Aug 13 20:56:05 ip-10-16-4-0.us-west-2.compute.internal systemd[1]: httpd.service: Killing process 403823 (httpd) with signal SIGKILL.

Any guidance on who I can get this LD_PRELOAD working for httpd on AL2023 would be much appreciated...



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]
  Powered by Linux