Bug 51020 - [PATCH] Apache/mod_fcgid.so does not start in complex Active Directory forest
Summary: [PATCH] Apache/mod_fcgid.so does not start in complex Active Directory forest
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_fcgid (show other bugs)
Version: 2.2.17
Hardware: PC All
: P2 normal with 7 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: PatchAvailable
Depends on: 51560
  Show dependency tree
Reported: 2011-04-04 22:19 UTC by Thangaraj AntonyCrouse
Modified: 2014-02-17 13:52 UTC (History)
2 users (show)

Patch for Apache/mod_Fcgid.so startup issue in complex Active Directory Domain environment (1.72 KB, patch)
2011-04-04 22:19 UTC, Thangaraj AntonyCrouse
Details | Diff
rebuild_for_mod_fcgid-2.3.7-crlf (57.50 KB, patch)
2012-12-19 07:55 UTC, Konstantin Komarov
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thangaraj AntonyCrouse 2011-04-04 22:19:50 UTC
Created attachment 26854 [details]
Patch for Apache/mod_Fcgid.so startup issue in complex Active Directory Domain environment


mod_fcgid.so tries to gather CGI process filestat during startup using apr_stat () call and fails to fetch all ACLs from Active Directory Domain environment (having complex groups spanning across multiple domains)

Root Cause:
apr_stat() using APR_FINFO_NORM ends up calling GetEffectiveRightsFromACL Win32API to proble ACLs for cgi process file object's owner and group trustee accounts, and per MS this GetEffectiveRightsFromACL API is likely to fail in complex AD environment. MS KB: http://support.microsoft.com/kb/2018746

mod_fcgid.so apr_stat() call is made to use APR_FINFO_IDENT and thereby avoiding the unnecessary ACL lookup during Apache startup, however if there is a real ACL issue, mod_fcgid.so will return error during runtime.
Comment 1 David Boyer 2011-07-26 13:18:56 UTC
I've experience the same issue with mod_fcgid failing on startup.  I'm also in an extremely large Active Directory implementation which explains why I'm suffering.

Have tried the patch and it works perfectly.
Comment 2 Steffen 2011-07-26 13:50:24 UTC
Please attention to this issue, quite some reports on this.
Comment 3 David Boyer 2011-07-26 14:17:57 UTC
A workaround is available, but it's not suitable for all implementations.

Change permissions on the fastcgi wrapper (e.g. php-cgi.exe) to remove any Active Directory user or group.  Also remove any local groups that contain Active Directory users or groups.  I was left with just the local administrator account and system.  The Apache service will then start correctly as it doesn't bother accessing Active Directory to check the ACL.
Comment 4 David Boyer 2011-07-27 07:58:52 UTC
I've logged bug 51560 with Apache APR about the underlying issue caused by using GetEffectiveRightsFromACL.  It'd be ideal if they could provide a fix at that level as it'd fix other modules that suffer from the same problem.  Like mod_xsendfile https://github.com/nmaier/mod_xsendfile/issues/8
Comment 5 William A. Rowe Jr. 2012-01-19 16:07:03 UTC
David, that's a very interesting workaround, and thanks for filing the APR bug.

Thangaraj, looked at your proposed solution and went with that philosophy,
vetting all of the cases where we were requesting far more apr_file_stat fields
than were used.  Fixed for mod_fcgid 2.3.7.  Thank you for proposing that fix.
Comment 6 Tizian Schmidlin 2012-12-07 10:18:59 UTC
I'm currently experiencing the issue on some Windows 2008 R2 with AD and as I understand the error that's given me by the Apache Configuration check, it definitely relates to this issue.

Therefore I'd say, the bug is still open.

Does anybody still experience this issue with Apache 2.2.22 and mod_fcgid 2.3.7.
Comment 7 Konstantin Komarov 2012-12-19 07:55:08 UTC
Created attachment 29777 [details]

Just replace your mod_fcgid.so 
Build, what's updated:
line :866 comented "/*  return missing_file_msg(cmd->pool, "Wrapper", path, rv); */"

AD+Apache + mod_fcgid + PHP = (70008)Partial results

used links :
Comment 8 Jason Mealins 2013-02-01 20:43:37 UTC
How does commenting out line 866 fix the issue? Is it just prohibiting the AD lookups all together?