I ma trying to make a Docker container image with an Apache server that handles TLS mutual authentication. Since this is a container Apache can be made to listen some high-numbered port instead of 443, so this should remove the need for root execution.
However, as soon as I try to enable TLS, I get this:
[Thu Oct 11 09:50:50.357758 2018] [auth_digest:notice] [pid 22] AH01757: generating secret for digest authentication ...
[Thu Oct 11 09:50:50.357818 2018] [auth_digest:error] [pid 22] (13)Permission denied: AH01762: Failed to create shared memory segment on file /run/httpd/authdigest_shm.22
[Thu Oct 11 09:50:50.357825 2018] [auth_digest:error] [pid 22] (13)Permission denied: AH01760: failed to initialize shm - all nonce-count checking, one-time nonces, and MD5-sess algorithm disabled
Are root privileges required to create the shared memory or can the access rights be amended to allow non-root usage?
Applications in containers usually run as root. But that doesn't mean that they have full root privileges.
From the docker security documentation:
Just let it run as root inside the container.
Eventually figured it out. Listing the access flags on
/run/httpdshows:So only root can write there. So in the Dockerfile I added:
And it worked. Not sure it the best solution, though, and I welcome any comments that point out problems with that solution.
I got another solution for this. In your configuration you can define a directory that you can write, other than /run/httpd/. Like this:
This could be a directory relative to your ServerRoot
You can find the document about httpd core and mod_slotmem_shm