Chroot fails with "Cannot chroot when not started as root" error

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Looks like we need to cherry-pick this upstream fix if we do not merge it in first.

Since ChrootDir is not a default option, I think Medium priority is appropriate given the criteria listed at https://wiki.ubuntu.com/Bugs/Importance. That's not to say we shouldn't fix it, and an SRU to Saucy isn't out of the question, either.

Thank you for reviewing this bug report and assigning the severity. While I agree with you on the assigned severity of "Medium", I'd like to point out that though ChrootDir is not a default option, it relates to the security of apache server. I am not sure how many users simply use the server w/ default options, but I would guess many will do server hardening starting with chrooting. Would really appreciate if this fix is included soon.

If you fix that, you also need to regenerate debian/patches/itk-rerun-configure.patch after the upstream patch has been applied . I have done that in the attached patch. I would recommend that you do that for saucy.

This will also be fixed in 2.4.6-4, which will be uploaded to Debian soon. Therefore for trusty, there is probably no need for further action.

The attachment "patch against 2.4.6-2" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Any update on when can we get a fix for this?

As 2.4.6-4 hasn't been uploaded to Debian yet, and fixing Trusty blocks fixing Saucy, I've verified the problem with a dep8 test, verified Stefan's patch with it and uploaded the fix to Trusty. Thanks!

This bug was fixed in the package apache2 - 2.4.6-2ubuntu4

---------------
apache2 (2.4.6-2ubuntu4) trusty; urgency=low

  * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
    that it does not use files find inside the .pc directory. This stops a
    double module load causing later havoc, including "ChrootDir" directive
    failure (LP: #1251939). Thanks to Stefan Fritsch.
  * d/tests/chroot: dep8 test for ChrootDir case.
 -- Robie Basak <email address hidden> Thu, 28 Nov 2013 16:21:51 +0000

Hello Arul, or anyone else affected,

Accepted apache2 into saucy-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apache2/2.4.6-2ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I can confirm that Chroot is working in the proposed (2.4.6-2ubuntu2.1 )
Thank you for the fix.
-Arul

The verification of the Stable Release Update for apache2 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package apache2 - 2.4.6-2ubuntu2.1

---------------
apache2 (2.4.6-2ubuntu2.1) saucy; urgency=low

  * d/p/ignore-quilt-dir, d/p/itk-rerun-configure.patch: adjust build system so
    that it does not use files find inside the .pc directory. This stops a
    double module load causing later havoc, including "ChrootDir" directive
    failure (LP: #1251939). Thanks to Stefan Fritsch.
  * d/tests/chroot: dep8 test for ChrootDir case.
 -- Robie Basak <email address hidden> Thu, 28 Nov 2013 17:45:57 +0000

Hi Stefan,

Remember this bug?
https://issues.apache.org/bugzilla/show_bug.cgi?id=55787
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1251939
http://svn.apache.org/viewvc/httpd/httpd/trunk/build/config-stubs?view=log&pathrev=1542615

I really appreciated your fix for that.

I'm merging apache2 2.4.7-1 from Debian into Ubuntu, but I can't find
the fix in Debian for this issue. The upstream fix doesn't seem to be
present, and I tried dropping a config*.m4 file into .pc/ and the
"configfiles=" line picks it up.

So is Debian 2.4.7-1 still affected by this issue, or has there been
some other fix of which I'm not aware? I'm not sure whether this is a
bug in Debian, or if I'm missing something.

I'd appreciate your thoughts.

Thanks,

Robie

Hi Robie,

Am Freitag, 3. Januar 2014, 16:53:26 schrieb Robie Basak:
> I'm merging apache2 2.4.7-1 from Debian into Ubuntu, but I can't
> find the fix in Debian for this issue. The upstream fix doesn't
> seem to be present, and I tried dropping a config*.m4 file into
> .pc/ and the "configfiles=" line picks it up.
>
> So is Debian 2.4.7-1 still affected by this issue, or has there been
> some other fix of which I'm not aware? I'm not sure whether this is
> a bug in Debian, or if I'm missing something.

You are right, the real fix is not included. We "fixed" the issue by
removing the patches that touch *.m4 files. Therefore, no *.m4 file
will be created in the .pc directory.

This reminds me that I need to propose the upstream patch for backport
to 2.4.8. Maybe we should put the fix into the debian package for
2.4.7-2, too, but there are usually few reasons to patch the m4 files,
now that we have moved mpm-itk to its own source package.

Cheers,
Stefan

Hi Stefan,

Thank you for explaining this to me.

On Sat, Jan 04, 2014 at 07:11:58PM +0100, Stefan Fritsch wrote:
> You are right, the real fix is not included. We "fixed" the issue by
> removing the patches that touch *.m4 files. Therefore, no *.m4 file
> will be created in the .pc directory.
>
> This reminds me that I need to propose the upstream patch for backport
> to 2.4.8. Maybe we should put the fix into the debian package for
> 2.4.7-2, too, but there are usually few reasons to patch the m4 files,
> now that we have moved mpm-itk to its own source package.

I'm wondering if there's more of a potential issue in Ubuntu than in
Debian here. Our next release will be supported for five years, so I
expect that we'll backport a number of as-yet-unknown bug fixes. As
we're team based, it could be anybody doing this, and they may be
unaware of this issue.

So I think I'd prefer to carry the backported fix for this, just so
there isn't a mine for a future developer to step on.

We prefer to keep our delta against Debian small, so that's a vote from
me to have the fix in 2.4.7-2, please. That's assuming that we just need
the ignore-quilt-dir patch, or are there any complications with
build system regeneration or anything like that?

I'll also look to see if I can write a dep8 test that just checks for
duplicate module loads.

Thanks,

Robie

Hi Robie,

Am Montag, 6. Januar 2014, 13:01:06 schrieb Robie Basak:
> I'm wondering if there's more of a potential issue in Ubuntu than in
> Debian here. Our next release will be supported for five years, so
> I expect that we'll backport a number of as-yet-unknown bug fixes.
> As we're team based, it could be anybody doing this, and they may
> be unaware of this issue.
>
> So I think I'd prefer to carry the backported fix for this, just so
> there isn't a mine for a future developer to step on.
>
> We prefer to keep our delta against Debian small, so that's a vote
> from me to have the fix in 2.4.7-2, please. That's assuming that we
> just need the ignore-quilt-dir patch, or are there any
> complications with build system regeneration or anything like that?

The code is only executed when running buildconf to re-create
configure. This is not normally done during package build. Therefore
the patch to build/config-stubs is sufficient to avoid the problem in
the future if/when someone needs to re-run buildconf again. I have
committed the patch to be included in 2.4.7-2.

Cheers,
Stefan

On Sun, Jan 12, 2014 at 11:02:32PM +0100, Stefan Fritsch wrote:
> The code is only executed when running buildconf to re-create
> configure. This is not normally done during package build. Therefore
> the patch to build/config-stubs is sufficient to avoid the problem in
> the future if/when someone needs to re-run buildconf again.

Handy to know, thanks.

> I have
> committed the patch to be included in 2.4.7-2.

Perfect. Thank you very much for your help!

Robie