Bug#1091855: marked as done (Assumes only root can chroot(), disregarding cap_sys_chroot)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 05 Dec 2025 06:04:39 +0000
with message-id <E1vROvn-00GOCg-1p@fasolo.debian.org>
and subject line Bug#1091855: fixed in apache2 2.4.66-1
has caused the Debian Bug report #1091855,
regarding Assumes only root can chroot(), disregarding cap_sys_chroot
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1091855: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091855
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: Assumes only root can chroot(), disregarding cap_sys_chroot
• From: Andras Korn <korn-debbugs@elan.rulez.org>
• Date: Wed, 1 Jan 2025 16:03:10 +0100
• Message-id: <6aruuj5s3tjfw7ioqwck6pqk4exvaarwvnfje7iu7y4n7bqs7o@exzc75a3ik5g>

Package: apache2-bin
Version: 2.4.62-3
Severity: normal
Tags: upstream

Hi,

I'm trying to start apache as a non-root user, with a minimal set of capabilities that allow it to work.

My command line looks like this:

capsh \
	--keep=1 \
	--gid=33 \
	--groups=33 \
	--caps="cap_net_bind_service+eip cap_sys_chroot+eip cap_setuid+ep" \
	--uid=33 \
	--addamb=cap_net_bind_service,cap_sys_chroot \
	--print \
	-- \
	-c '/usr/sbin/apache2 -d "/etc/apache2" -DSSL -DNO_DETACH -DFOREGROUND -f "/etc/apache2/apache2.conf"'

Diagnostic output from capsh(1) confirms capabilities are set correctly:

Current: cap_net_bind_service,cap_sys_chroot=ip cap_setuid+p
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =cap_net_bind_service,cap_sys_chroot
Current IAB: ^cap_net_bind_service,^cap_sys_chroot
Securebits: 020/0x10/5'b10000 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: yes (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=33(www-data) euid=33(www-data)
gid=33(www-data)
groups=33(www-data)
Guessed mode: UNCERTAIN (0)

However, apache says:

[unixd:alert] [pid 24573:tid 24573] AH02158: Cannot chroot when not started as root

The same capsh command works with merecat httpd and allows it to chroot.

The problem seems to be that in modules/arch/unix/mod_unixd.c, in

static int
unixd_drop_privileges(apr_pool_t *pool, server_rec *s),

the code explicitly checks for geteuid() == 0 and doesn't even attempt the
chroot if it's not running as root:

        if (geteuid()) {
            rv = errno;
            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL, APLOGNO(02158)
                         "Cannot chroot when not started as root");
            return rv;
        }

This is just wrong. Apache has no business trying to guess what the kernel
will allow it to do; there could be an arbitrary security/privilege
mechanism (not just capabilities) in place that will allow this particular
process to chroot to that particular directory at this particular time of
day. Apache can't know this unless it tries to chroot.

I think this check should be dropped; at most, if the chroot doesn't
succeed, AND we're not running as root, Apache could include this
information as a hint in the error message.

"Cannot chroot when not started as root" is factually incorrect.

Also, happy new year!

András

-- System Information:
Debian Release: trixie/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (350, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.5-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: runit (via /run/runit.stopit)
LSM: AppArmor: enabled

-- 
  There are more airplanes in the ocean than there are submarines in the air.

--- End Message ---

--- Begin Message ---

• To: 1091855-close@bugs.debian.org
• Subject: Bug#1091855: fixed in apache2 2.4.66-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 05 Dec 2025 06:04:39 +0000
• Message-id: <E1vROvn-00GOCg-1p@fasolo.debian.org>
• Reply-to: Yadd <yadd@debian.org>

Source: apache2
Source-Version: 2.4.66-1
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1091855@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 05 Dec 2025 06:35:34 +0100
Source: apache2
Architecture: source
Version: 2.4.66-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 713967 860087 900612 913094 927302 1091855 1105015 1121926
Changes:
 apache2 (2.4.66-1) unstable; urgency=medium
 .
   [ Laurent Bigonville ]
   * Enable systemd module (Closes: #860087).
   * debian/apache2ctl: Fix the restart and greceful when using system.
     When apache is not running and restart or greceful is called, apache
     was running in the user cgroup and system was be confused
     (Closes: #927302).
     This will also avoid to leak fd to apache
     (Closes: #713967).
 .
   [ Helmut Grohne ]
   * Fix FTCBFS: (Closes: #913094)
     + Annotate perl build dependency with :any.
     + cross.patch: Use AC_PATH_TOOL to find pkg-config.
     + Generate server/test_char.h ahead of the build
 .
   [ Jason Perrin ]
   * Fix packaging steps undo setting of setuid bit
     (Closes: #900612)
 .
   [ Bastien Roucariès]
   * Harden systemd services. Set ProtectSystem=full
     ProtectHome=read-only, RestrictSUIDSGID=yes.
     This may break read-write CGI script to /home and
     WebDaV or other CGI/php/lua uses.
   * Move /var/run to /run and /var/lock to /run/lock
   * Allow CAP_SYS_CHROOT for chroot
     (Closes: #1091855)
   * Remove apache2 IPC
 .
   [ Moritz Schlarb ]
   * Support Rules-Requires-Root: no (Closes: #1105015)
 .
   [ Yadd ]
   * New upstream version (Closes: #1121926, CVE-2025-55753, CVE-2025-58098,
     CVE-2025-59775, CVE-2025-65082, CVE-2025-66200)
Checksums-Sha1: 
 353539cbd2a956141089d588d38ff4e89cb04113 3582 apache2_2.4.66-1.dsc
 9a2de37ab3a9e4603a0a98f4e2255a6bfed005d4 9828043 apache2_2.4.66.orig.tar.gz
 a0525bf2f2f51a508b61d7d78e3dca19276de0d0 833 apache2_2.4.66.orig.tar.gz.asc
 757d7919f2d453f71d2a8cd4768e474f349dc29c 828600 apache2_2.4.66-1.debian.tar.xz
Checksums-Sha256: 
 d54458d3c50920ec869701d87b57ab433f0b40777902f2f7f427bbf0793edff4 3582 apache2_2.4.66-1.dsc
 442184763b60936471b88a91275f79d2407733b7aac27e345f270e8bc31c3d49 9828043 apache2_2.4.66.orig.tar.gz
 d39cdcb8d723e3c5bd4edc1e248d52c4fd352fb10eeda91cae973b12325605bc 833 apache2_2.4.66.orig.tar.gz.asc
 cbc7a62876ef92efce41dd3bdfa4bdd6f299ce47a203de39e61cab7ba95de161 828600 apache2_2.4.66-1.debian.tar.xz
Files: 
 0146a571ee98c8af7da73af2f078a349 3582 httpd optional apache2_2.4.66-1.dsc
 91b20bb90cf7d1eeb225e5b7246ce93d 9828043 httpd optional apache2_2.4.66.orig.tar.gz
 2823799bf1d4b8e771a672d1d6f6ce60 833 httpd optional apache2_2.4.66.orig.tar.gz.asc
 106d6b2885fdf73cf6e579634429a9b6 828600 httpd optional apache2_2.4.66-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmkycRYACgkQ9tdMp8mZ
7ukinQ//V3nDfUF9f6NvA4VoiWPQAsIfgabVNhDed/fX27WSwGt7A/AXykLje/By
P2+WWs6BbJcDaZby6E2iHXFwd3jx22hlItBV2lzr1Q0Kex2O23bAaqtk5qjhD5No
1n7rRAQtgmKHDtpkpPle0Z4FMJf3BxVdfYOvHyr3mTAkyYZqktcKtrFK9Kzo0J9B
kquKsvDNDo/SynUScjMX7L+VBxS4FQwJ2B6gY2iEI6guBhUmVS3RWRFQjh7iLSVX
anuegojZyxx2HFGFgLs56Bt81+KItBWoWbLr3kwD26s9ZCS/ViUMyA+JGhDu4cqu
EzstdVIGIiPSMHV+9gEeO5lPIirNo1vSiOKPxVoPdkQtOgWC/LlgxUPbMUv+gwtP
gDbWcialKhhRNn57ky7Jl9cB6J3wns7MslYZPRerAidXepNaXmMBrouGqlAZ0ofQ
NSXfKl7OwXc7JErG+tC9xpldTYsmcvECImhk8DlqyHP6Jz3lACIxLnm71xyXWLq5
cxx4LaFdQqLdDHFOzf/YtJdDxomlugnGgViNhfmtb4urrD0WTcE8JUl/ZpcAS39g
ys4MCWMq43pdks+cfW1gw591BbHmUpZdrjozq3EOQXK6BP651QCiDIi7jIxA6pT+
LXzwEcEv54nl+D644AHD2Um+m5EKfXb170jMe/4vXkhUPDs8s5Y=
=hVr9
-----END PGP SIGNATURE-----

Attachment: pgp5t6lKyaLnt.pgp
Description: PGP signature

--- End Message ---