apache cannot start

h112 · June 29, 2009, 6:58pm

hi all
i'm having a problem with apache on solaris 10 SPARC
I'm trying to start httpd as root
but it fails with the following error

/usr/local/apache2/bin/httpd -k start
httpd: Could not determine the server's fully qualified domain name, using 192.168.1.11 for ServerName
(20014)Error string not specified yet: Error retrieving pid file logs/httpd.pid

i checked the error log to see if i can get something more informative

[Sun Jun 14 16:04:31 2009] [notice] Digest: done
[Sun Jun 14 16:04:32 2009] [warn] pid file /usr/local/apache2/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Sun Jun 14 16:04:32 2009] [notice] Apache/2.0.58 (Unix) mod_jk/1.2.15 DAV/2 PHP/5.1.4 configured -- resuming normal operations
[Sun Jun 14 16:23:52 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache2/bin/suexec)
[Sun Jun 14 16:23:53 2009] [notice] Digest: generating secret for digest authentication ...
[Sun Jun 14 16:23:53 2009] [notice] Digest: done
[Sun Jun 14 16:23:54 2009] [warn] pid file /usr/local/apache2/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Sun Jun 14 16:23:54 2009] [notice] Apache/2.0.58 (Unix) mod_jk/1.2.15 DAV/2 PHP/5.1.4 configured -- resuming normal operations

i ran ls to see directroris perm

bash-3.00# ls -l /usr/local/apache2/logs/
total 433398
-rw-r--r--   1 root     root           0 Mar 11 12:42 access_log
-rw-r--r--   1 root     root     3489021 Sep  3  2007 access_log.gz
-rw-r--r--   1 root     root     100248972 Jun 15 09:09 dummy-host.example.com-access_log
-rw-r--r--   1 root     root     87096852 Mar  5 23:11 dummy-host.example.com-access_log.gz
-rw-r--r--   1 root     root     13216739 Jun 15 04:48 dummy-host.example.com-error_log
-rw-r--r--   1 root     root     9175989 Mar  5 23:10 dummy-host.example.com-error_log.gz
-rw-r--r--   1 root     root     5902845 Jun 15 09:21 error_log
-rw-r--r--   1 root     root     2522824 Mar  5 23:09 error_log.gz
-rw-r--r--   1 root     root           0 Jun 15 09:21 httpd.pid
-rw-r--r--   1 root     root       67584 Jun 15 09:21 jk-runtime-status
-rw-r--r--   1 root     root           1 Jun 15 09:21 jk-runtime-status.lock

i'm stuck here with no idea what's going on
any ideas would be a great assist
thanks in advance

Neo · June 29, 2009, 7:21pm

What uid is your apache processing running?

It should not be running as root, BTW, this is major security concern.

And, if it is not runnning as root, which it should not be, it can't write to the (your) httpd.pid (-rw-r--r-- 1 root root 0 Jun 15 09:21) httpd.pid file because that file (your file you posted) is only writable by root

Looks like you have a number of problems, and I have not discussed your DNS, FQDN issue.

The first thing I advise is to determine the non-root userid and groupid you are going to run apache under. Change all the files in your web directory (recursively) to that non-root userid and group.

Then configure Apache to run as your non-root user (above).

Regarding your FQDN error, that is something you can easily fix, if you know what your FQDN is for your server, but first you must fix your basic filesystem and process / file ownership issues with Apache.

h112 · July 3, 2009, 6:48pm

yes its running as root
i haven't assigned the server a FQDN

-rw-r--r--   1 root     root           0 Jun 15 09:21 httpd.pid

httpd.pid is writable by root everything seems to be okay
you are right its security concern to run apache as root the server is local server
but if we skip FQDN problem and security issue
is there any fix to solve the problem

reborg · July 3, 2009, 7:40pm

Just delete the old pid file, it would be unusual (but not unheard of) for Apache not to be started as root so that it can bind to port 80. However the apache configuration file should also specify the runtime user to use once the process has started.

h112 · July 4, 2009, 5:36pm

@reborg thanks a lot
I deleted httpd.pid now it works fine
by the way is there any guide or document to set up apache server with non privileged user
Thanks again

Neo · July 4, 2009, 6:38pm

Good job, glad it is working now. Those pesky httpd.pid files can cause problems.

Regarding apache process ownership, you might be OK already.

Did you check the config file?

Normally, there is a line in the httpd.conf (apache.conf or apache2.conf) file where you specify the process owner, something like:

Port 80
User apache
Group apache

It is unusual for apache, as I recall, to have a default configuration file with User root.

Can you post yours?

reborg · July 4, 2009, 8:17pm

With Solaris 10 it should be possible using pfexec and appropriate privileges, but it's more usual to start it as root and use the "User" and "Group" in the config file for normal runtime use as Neo suggested.

Any user can run Apache ( provided the pid file and logs can be written by the user ), but you need extra privileges to run it on the standard ports. If you set the port number > 1024 any normal user could start it. I have in the past allowed certain users to control the Apache server on certain servers without giving them root access by creating an IPFilter to forward from port 80 to an unprivileged port that apache was listening on. To an external user there is no difference but there is no need to grant any extra permissions to the user running the server.

h112 · July 5, 2009, 12:11pm

neo:

Good job, glad it is working now. Those pesky httpd.pid files can cause problems.

Regarding apache process ownership, you might be OK already.

Did you check the config file?

Normally, there is a line in the httpd.conf (apache.conf or apache2.conf) file where you specify the process owner, something like:
Port 80
User apache
Group apache
It is unusual for apache, as I recall, to have a default configuration file with User root.

Can you post yours?

here is the config located in

/usr/local/apache2/conf/httpd.conf

User nobody
Group nobody
</Ifmodule>
</IfModule>
Listen 80

Neo · July 5, 2009, 12:47pm

And after you deleted the pid file (httpd.pid) and restarted apache who owns that file now?

Also, when you do a ps <whatever> who owns the processes that are running apache now?

Please post. Thanks.

---------- Post updated at 16:47 ---------- Previous update was at 16:43 ----------

Also, does your machine actually have a User nobody and Group nobody?

reborg · July 5, 2009, 1:51pm

If it's Solaris, it does.

Neo · July 5, 2009, 2:06pm

Understood.

I tend to like to confirm they exist (or do not exist), since they can be easily removed, especially when we don't fully know the history of the machine.

h112 · July 5, 2009, 3:55pm

as reborg said If it's Solaris, it does.

-bash-3.00$ grep nobody /etc/passwd

reveals an output like the following

nobody:x:60001:60001:NFS Anonymous Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:

-bash-3.00$ grep nobody /etc/group

reveals an output like this

nobody::60001:

ps -eaf

reveals the following

bash-3.00$ ps -eaf | grep httpd | grep -v grep
  nobody  1916  1911   0 22:39:17 ?           0:00 /usr/local/apache2/bin/httpd -k start
    root  1911     1   0 22:39:16 ?           0:00 /usr/local/apache2/bin/httpd -k start
  nobody  1913  1911   0 22:39:17 ?           0:00 /usr/local/apache2/bin/httpd -k start
  nobody  1915  1911   0 22:39:17 ?           0:00 /usr/local/apache2/bin/httpd -k start
  nobody  1914  1911   0 22:39:17 ?           0:00 /usr/local/apache2/bin/httpd -k start
  nobody  1912  1911   0 22:39:17 ?           0:00 /usr/local/apache2/bin/httpd -k start

ls -l httpd.pid reveals the following

bash-3.00$ ls -l /usr/local/apache2/logs/
total 433464
-rw-r--r--   1 root     root           0 Mar 11 12:42 access_log
-rw-r--r--   1 root     root     3489021 Sep  3  2007 access_log.gz
-rw-r--r--   1 root     root     100272126 Jul  5 22:36 dummy-host.example.com-access_log
-rw-r--r--   1 root     root     87096852 Mar  5 23:11 dummy-host.example.com-access_log.gz
-rw-r--r--   1 root     root     13221154 Jul  5 14:16 dummy-host.example.com-error_log
-rw-r--r--   1 root     root     9175989 Mar  5 23:10 dummy-host.example.com-error_log.gz
-rw-r--r--   1 root     root     5909800 Jul  5 22:39 error_log
-rw-r--r--   1 root     root     2522824 Mar  5 23:09 error_log.gz
-rw-r--r--   1 root     other          5 Jul  5 22:39 httpd.pid
-rw-r--r--   1 root     root       67584 Jul  5 22:39 jk-runtime-status
-rw-r--r--   1 root     root           1 Jul  5 22:39 jk-runtime-status.lock

h112 · July 7, 2009, 9:53am

hey reborg and Neo
i posted

ls -l /usr/local/apache2/logs/httpd.pid

-bash-3.00$ grep nobody /etc/passwd

and so on
what's next any idea

Neo · July 7, 2009, 9:55am

What's the exact problem? apache is up and running, as you said. What is the issue?

h112 · July 7, 2009, 5:40pm

nothing just wanna be sure everything is okay
as you siad please post
so i did

Neo · July 7, 2009, 6:32pm

Yes, so far, so good.

To be on the safe side, you can change the ownership of the httpd.pid file to nobody.nobody if you have issues in the future, but it does not seem to be an issue and it seems the httpd.pid file is written by apache when you start it as root before it forks (or execs, I can't recall which) to nobody.

We like to have all of our web files as the same ownership and group as the apache worker processes, BTW.

h112 · July 7, 2009, 6:54pm

Thanks for your invaluable reply