Nginx shared libraries Permission error

English Network/Internet
1

Nginx Permission Issue with AppArmor

I am encountering issues while running Nginx, specifically a permission error. To troubleshoot, I disabled AppArmor temporarily using apparmor_parser -r to check if the issue originated from AppArmor. However, I did not find any apparent issues. After restarting my PC, a permission issue surfaced in the home directory .valet.

Permissions of .valet Directory

ls -la .valet
total 8
drwxr-xr-x 1 abbasmashaddy72 abbasmashaddy72 126 Dec 14 01:56 .
drwx------ 1 abbasmashaddy72 root            730 Dec 14 02:19 ..
drwxr-xr-x 1 abbasmashaddy72 abbasmashaddy72   0 Dec 13 22:46 Certificates
-rw-r--r-- 1 abbasmashaddy72 abbasmashaddy72 177 Dec 14 01:56 config.json
drwxr-xr-x 1 abbasmashaddy72 abbasmashaddy72  42 Dec 13 22:46 Drivers
drwxr-xr-x 1 abbasmashaddy72 abbasmashaddy72   0 Dec 13 22:46 Extensions
drwxr-xr-x 1 abbasmashaddy72 abbasmashaddy72  30 Dec 13 22:46 Log
drwxr-xr-x 1 abbasmashaddy72 abbasmashaddy72  10 Dec 13 22:46 Nginx
drwxr-xr-x 1 abbasmashaddy72 abbasmashaddy72   0 Dec 13 22:46 Sites
lrwxrwxrwx 1 abbasmashaddy72 abbasmashaddy72  41 Dec 14 01:56 valet.sock -> /home/abbasmashaddy72/.valet/valet82.sock

AppArmor Configuration for Nginx Permissions

#include <tunables/global>

/usr/sbin/nginx {
  # Allow read access to Nginx log files
  /home/abbasmashaddy72/.valet/Nginx/* rw,
  /home/abbasmashaddy72/.valet/Nginx/** rw,

  # Add any other necessary rules here
  /usr/lib/libcrypt.so.1 mr,
  /usr/lib64/libcrypt.so.1 mr,
}

sudo apparmor_parser -r /etc/apparmor.d/local/usr.sbin.nginx

Error Message on Nginx Service Status

sudo systemctl status nginx.service
× nginx.service - The nginx HTTP and reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Thu 2023-12-14 01:56:08 IST; 1min 24s ago
    Process: 31003 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=127)
        CPU: 32ms

Dec 14 01:56:08 localhost.localdomain systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 14 01:56:08 localhost.localdomain nginx[31003]: /usr/sbin/nginx: error while loading shared libraries: libcrypt.so.1: cannot open shared object file: Permission denied
Dec 14 01:56:08 localhost.localdomain systemd[1]: nginx.service: Control process exited, code=exited, status=127/n/a
Dec 14 01:56:08 localhost.localdomain systemd[1]: nginx.service: Failed with result 'exit-code'.
Dec 14 01:56:08 localhost.localdomain systemd[1]: Failed to start The nginx HTTP and reverse proxy server.

Checked Main Libraries

sudo ldconfig -p | grep libcrypt
        libcryptsetup.so.12 (libc6,x86-64) => /lib64/libcryptsetup.so.12
        libcrypto.so.3 (libc6,x86-64, hwcap: "x86-64-v3") => /lib64/glibc-hwcaps/x86-64-v3/libcrypto.so.3.1.4
        libcrypto.so.3 (libc6,x86-64) => /lib64/libcrypto.so.3
        libcrypt.so.1 (libc6,x86-64) => /lib64/libcrypt.so.1
        libcrypt.so.1 (libc6) => /lib/libcrypt.so.1
        libcrypt.so (libc6,x86-64) => /lib64/libcrypt.so

ls -la /lib   
lrwxrwxrwx 1 root root 7 Dec 11 00:19 /lib -> usr/lib
ls -la /lib64 
lrwxrwxrwx 1 root root 9 Dec 11 00:19 /lib64 -> usr/lib64

Checked Local Libraries

ls -la /usr/lib
lrwxrwxrwx 1 root root      17 Oct  9 12:05 libcrypt.so.1 -> libcrypt.so.1.1.0
-rwxr-xr-x 1 root root  214452 Oct  9 12:05 libcrypt.so.1.1.0

If anyone can assist in resolving this issue, your help will be highly appreciated.

2

Did you check where ngnix tries to load library from?

So you checked. Did you not notice that paths you added to your security profile are different?

3

How should I check it

4

Brute force - strace. Usual method - aa-logprof.

5

I see this logs in AppArmor

I also followed this link to Create an AppArmor Profile for Nginx but still unsuccessfull.

image
image916×394 87.8 KB

6

There are some mount options to be used with AppArmor in openSUSE docs, Confining privileges with AppArmor, but I was unable to understand it. I tried to do the may like mount -o rw /home /home but received syntax error it is something to do with the AppArmor Permissions only I think below is my nginx.conf & nginx AppArmor Profile.

nginx AppArmor Profile

# Last Modified: Fri Dec 15 17:24:46 2023
abi <abi/3.0>,

include <tunables/global>

/usr/sbin/nginx {
  include <abstractions/base>
  include <abstractions/nis>
  include <abstractions/openssl>

  capability chown,
  capability dac_override,
  capability dac_read_search,

  network inet stream,
  network unix stream,

  /etc/nginx/conf.d/ r,
  /etc/nginx/fastcgi_params r,
  /etc/nginx/mime.types r,
  /etc/nginx/nginx.conf r,
  /etc/nginx/sites-available/valet.conf r,
  /etc/nginx/sites-enabled/ r,
  /home/*/.valet/*/ rwux,
  /home/*/.valet/Log/nginx-error.log rwux,
  /home/*/.valet/Nginx/* rwux,
  /usr/sbin/nginx mr,
  /var/lib/nginx/fastcgi/ w,
  /var/lib/nginx/proxy/ w,
  /var/lib/nginx/scgi/ w,
  /var/lib/nginx/tmp/ w,
  /var/lib/nginx/uwsgi/ w,
  /var/log/nginx/error.log w,
  owner /etc/group r,
  owner /etc/ld.so.cache r,
  owner /etc/nsswitch.conf r,
  owner /etc/passwd r,
  owner /proc/sys/crypto/fips_enabled r,
  owner /run/nginx.pid rw,
  owner /sys/devices/system/cpu/online r,

}

nginx.conf

#user 'abbasmashaddy72' 'root';
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 1024;
    # multi_accept on;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    gzip on;
    gzip_disable "msie6";
    gzip_comp_level 5;
    gzip_min_length 256;
    gzip_proxied any;
    gzip_vary on;

    gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/rss+xml
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/svg+xml
    image/x-icon
    text/css
    text/plain
    text/x-component;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
    include /home/abbasmashaddy72/.valet/Nginx/*;
}

nginx Current status

x nginx.service - The nginx HTTP and reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Fri 2023-12-15 17:19:49 IST; 18min ago
    Process: 5259 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
        CPU: 65ms

Dec 15 17:19:49 localhost.localdomain systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 15 17:19:49 localhost.localdomain nginx[5259]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Dec 15 17:19:49 localhost.localdomain nginx[5259]: nginx: [emerg] open() "/home/abbasmashaddy72/.valet/Log/nginx-error.log" failed (30: Read-only file system)
Dec 15 17:19:49 localhost.localdomain nginx[5259]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 15 17:19:49 localhost.localdomain systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Dec 15 17:19:49 localhost.localdomain systemd[1]: nginx.service: Failed with result 'exit-code'.
Dec 15 17:19:49 localhost.localdomain systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
7

Educated guess - it is due to systemd service hardening (ProtectHome=read-only), assuming you are using default service definition that comes with openSUSE package.

1 Like
8

I am actually using this package cpriego/valet-linux every thing worked fine except nginx permission issue how can I fix this: ProtectHome=read-only in systemd service