Hello Ben,

I think it it working. Now i set two vhosts one for user: brenosilva and one for user : nobody
Then i submit two requests:

root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/*
total 16
196266 4 drwxrwxrwx 2 nobody † † www-data 4096 2013-07-25 05:02 .
196265 4 drwxrwxrwx 3 nobody † † www-data 4096 2013-07-25 05:02 ..
142051 4 -rwxrwxrwx 1 nobody † † www-data 1658 2013-07-25 05:02 20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD
172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA

root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/20130725-0502/20130725-0502*
142051 4 -rwxrwxrwx 1 nobody † † www-data 1658 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD
172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA

Audit log files were create for both users. No permission denied errors. Can you tru reproduce at least this test?

Breno


On Thu, Jul 25, 2013 at 4:53 AM, Ben Empson <ben@arrayx.co.uk> wrote:

Hi Breno, hereís my configs:

mod_ruid2.conf:

<IfModule mod_ruid2.c>

††† RMode config

††† RDefaultUidGid nobody nobody

††† RUidGid nobody nobody

</IfModule>

httpd.conf

Every virtual host has the following block (obviously with the actual user / group). User and group always have the same name which is the cPanel account name:

<IfModule mod_ruid2.c>

††††††† RMode config

††††††† RUidGid {user} {group}

</IfModule>

modsecurity2.user.conf

SecPcreMatchLimit 50000

SecPcreMatchLimitRecursion 50000

SecAuditLogType Concurrent

SecRequestBodyAccess On

SecResponseBodyAccess On

SecResponseBodyMimeType (null) text/html text/plain text/xml

SecResponseBodyLimit 20621440

SecAuditLogRelevantStatus "^(?:5|4(?!04))"

SecServerSignature Apache

SecUploadDir /var/asl/data/suspicious

SecUploadKeepFiles Off

SecAuditLogParts ABIFHZ

SecArgumentSeparator "&"

SecCookieFormat 0

SecRequestBodyLimit 20621440

SecRequestBodyInMemoryLimit 2062144

SecDataDir /var/asl/data/msa

SecTmpDir /tmp

SecAuditLogStorageDir /var/asl/data/audit

SecResponseBodyLimitAction ProcessPartial

SecAuditLogDirMode 0777

SecAuditLogFileMode 0777

Include /usr/local/apache/conf/modsec_rules/*asl*.conf

Include /usr/local/apache/conf/modsec2.whitelist.conf #this file is empty

Iím not sure youíre testing the same thing as me. You will need to have at least 2 virtual hosts, and you will need to call them in such a way that ModSecurity will generate an audit log in the same minute. Itís only under these conditions that the permissions problem arises, otherwise new directories and logs are simply created by a single user and thereís no problem. Obviously on a busy server these conditions are easily met.

From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: 24 July 2013 20:17


To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

Hello Ben,

This is what i'm trying to do as a test. Let me know if the config is similar is your side:

httpd.conf:

Rmode config

RuidGid www-data www-data

Rgroups brenosilva

virtual-host.conf:

RuidGid brenosilva www-data

and

RuidGid www-data www-data

modsecurity.conf:

SecAuditLogDirMode 0777

SecAuditLogFileMode 0777

SecAuditLogStorageDir /var/log/apache2

then i set umask 000 during apache runtime

ls -lisa /var/log/apache2/*

196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 .

188049 4 drwxrwxrwx 3 root † † † root † † 4096 2013-07-22 23:24 ..

196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 20130722-2324

196267 4 drwxrwxrwx 2 www-data † www-data 4096 2013-07-22 23:25 20130722-2325

No more permission denied errors. For sure 777 is not the best solution :) .... but i think is possible to do the same concept using 770 permission.

Breno

On Wed, Jul 24, 2013 at 2:01 PM, Breno Silva <breno.silva@gmail.com> wrote:

Ben,

I can try it here. I already installed mod_ruid2. Could you please send me your mod_ruid2 config ? Then i can reproduce.

Thanks

On Wed, Jul 24, 2013 at 1:53 PM, Ben Empson <ben@arrayx.co.uk> wrote:

Hi Breno, OK thanks for that. FYI Iím on holiday from tomorrow until 12 August, I donít think Iíll get time to look at this before that. I will do the update to 2.7.5 ASAP on my return.

Thanks for your help, Iíll also feedback to the mod_ruid2 dev that you already use ap_hook_log_transaction().

From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: 24 July 2013 18:48


To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

Ben,

Please download the 2.7.5 candidate tarball:†https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.5.tar.gz

I will send you a code for testing.

We already use†ap_hook_log_transaction††for logging phase.†

Thanks

Breno


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php