Ok Ben, that would help, If you can setup a devel box that reproduce your env and then give me remote access. I can try do the same thing i did from my side.



On Thu, Jul 25, 2013 at 10:49 AM, Ben Empson <ben@arrayx.co.uk> wrote:

Hi Breno, hmm thatís strange. Could you try with a user who is not nobody? Are you trying this with the 2.7.5 beta? I think weíre still on 2.7.3. Iím not sure if that could be affecting things?

Iím definitely not the only one with this problem: see https://www.atomicorp.com/wiki/index.php/Atomicorp_WAF_Rules_Troubleshooting#Failed_to_create_subdirectories

According to AtomiCorp itís impossible to do this, they claim itís a bug in mod_ruid2.

I have tried this on at least 3 different servers, Iíve not been able to make it work on any, and Iíve spent many hours trying. As I mentioned before, since Modsecurity is being packaged up by EasyApache, I donít have documentation on how to upgrade outside of that ecosystem.

I see that Modsecurity 2.7.4 is available in EasyApache now but upgrading involves a recompile of the whole of Apache which takes a while and isnít something I can do on production servers at will!

Unfortunately (or fortunately, depending on how you see it!), Iíve got to drop this now to wrap up other work before I go on holiday tomorrow. Iím afraid Iíll have to pick this up again after the 15th August. Many thanks for your help up until now, itís much appreciated! When I get back Iím happy to spin up a development server and give you root access so that we can try and narrow this down.

Regards, Ben

From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: 25 July 2013 14:07

To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

Hello Ben,

I think it it working. Now i set two vhosts one for user: brenosilva and one for user : nobody

Then i submit two requests:

root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/*

total 16

196266 4 drwxrwxrwx 2 nobody † † www-data 4096 2013-07-25 05:02 .

196265 4 drwxrwxrwx 3 nobody † † www-data 4096 2013-07-25 05:02 ..

142051 4 -rwxrwxrwx 1 nobody † † www-data 1658 2013-07-25 05:02 20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD

172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA

root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/20130725-0502/20130725-0502*

142051 4 -rwxrwxrwx 1 nobody † † www-data 1658 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD

172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA

Audit log files were create for both users. No permission denied errors. Can you tru reproduce at least this test?


On Thu, Jul 25, 2013 at 4:53 AM, Ben Empson <ben@arrayx.co.uk> wrote:

Hi Breno, hereís my configs:


<IfModule mod_ruid2.c>

††† RMode config

††† RDefaultUidGid nobody nobody

††† RUidGid nobody nobody



Every virtual host has the following block (obviously with the actual user / group). User and group always have the same name which is the cPanel account name:

<IfModule mod_ruid2.c>

††††††† RMode config

††††††† RUidGid {user} {group}



SecPcreMatchLimit 50000

SecPcreMatchLimitRecursion 50000

SecAuditLogType Concurrent

SecRequestBodyAccess On

SecResponseBodyAccess On

SecResponseBodyMimeType (null) text/html text/plain text/xml

SecResponseBodyLimit 20621440

SecAuditLogRelevantStatus "^(?:5|4(?!04))"

SecServerSignature Apache

SecUploadDir /var/asl/data/suspicious

SecUploadKeepFiles Off

SecAuditLogParts ABIFHZ

SecArgumentSeparator "&"

SecCookieFormat 0

SecRequestBodyLimit 20621440

SecRequestBodyInMemoryLimit 2062144

SecDataDir /var/asl/data/msa

SecTmpDir /tmp

SecAuditLogStorageDir /var/asl/data/audit

SecResponseBodyLimitAction ProcessPartial

SecAuditLogDirMode 0777

SecAuditLogFileMode 0777

Include /usr/local/apache/conf/modsec_rules/*asl*.conf

Include /usr/local/apache/conf/modsec2.whitelist.conf #this file is empty

Iím not sure youíre testing the same thing as me. You will need to have at least 2 virtual hosts, and you will need to call them in such a way that ModSecurity will generate an audit log in the same minute. Itís only under these conditions that the permissions problem arises, otherwise new directories and logs are simply created by a single user and thereís no problem. Obviously on a busy server these conditions are easily met.

From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: 24 July 2013 20:17

To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

Hello Ben,

This is what i'm trying to do as a test. Let me know if the config is similar is your side:


Rmode config

RuidGid www-data www-data

Rgroups brenosilva


RuidGid brenosilva www-data


RuidGid www-data www-data


SecAuditLogDirMode 0777

SecAuditLogFileMode 0777

SecAuditLogStorageDir /var/log/apache2

then i set umask 000 during apache runtime

ls -lisa /var/log/apache2/*

196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 .

188049 4 drwxrwxrwx 3 root † † † root † † 4096 2013-07-22 23:24 ..

196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 20130722-2324

196267 4 drwxrwxrwx 2 www-data † www-data 4096 2013-07-22 23:25 20130722-2325

No more permission denied errors. For sure 777 is not the best solution :) .... but i think is possible to do the same concept using 770 permission.


See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
mod-security-developers mailing list
ModSecurity Services from Trustwave's SpiderLabs: