FreeBSD Apache 2.4 rewrite/proxy module errors

Question

Just set up a FreeBSD jail to run httpd in it and all works good except these two, rewrite/proxy modules.

These are error logs excerpts:

mod_rewrite error:

[rewrite:crit] [pid 43447] (13)Permission denied: AH00666: mod_rewrite: could not init rewrite_mapr_lock_acquire in child

mod_proxy error:

[proxy:crit] [pid 43447] (13)Permission denied: AH02479: could not init proxy_mutex in child

Not sure permissions of what are being denied as html in document root is being served just fine when these modules are disabled.

I tried googling but found nothing but rubbish.

score 1 · Answer 1 · answered Aug 05 '14 at 06:22

1

Sounds like your jail lacks permissions for SysV IPC. Try to set sysvipc_allow=1 in your jail settings or pass it with jail command.

answered Aug 05 '14 at 06:22

Janne Pikkarainen

how does that harm isolation i'm trying to achieve? – dzhi Aug 05 '14 at 06:37
@purpler The handbook covers that: http://www.freebsd.no/doc/en/books/arch-handbook/jail-restrictions.html – Thor Erik Aug 05 '14 at 07:13
"By default, this sysctl is set to 0. If it were set to 1, it would defeat the whole purpose of having a jail". So that's out of question. Why would mod_rewrite and mod_proxy need IPC? – dzhi Aug 05 '14 at 07:19
If I've understood right, FreeBSD 9.x and later do allow setting sysvipc_allow and plethora of other restrictions on per-jail basis instead of global sysctl values. – Janne Pikkarainen Aug 05 '14 at 07:24
I don't think we could call this a restriction, rather permission which renders the point of having jails completely useless. – dzhi Aug 05 '14 at 07:52
I did try but I'm still seeing those error logs. Apache 2.2 works just fine completely jailed. – dzhi Aug 08 '14 at 10:10

score 0 · Accepted Answer · answered Aug 18 '14 at 11:25

The issue were permissions.

I set /etc/pw.conf umask to 007 from default 022 and that resulted in certain executables being unable to be reached from jails.

Once i changed containing directory permissions to original ones it all started working properly and modules are not logging errors any more.

Typical example of PEBKAC.

2 Answers2