Ben,

I can try it here. I already installed mod_ruid2. Could you please send me your mod_ruid2 config ? Then i can reproduce.

Thanks


On Wed, Jul 24, 2013 at 1:53 PM, Ben Empson <ben@arrayx.co.uk> wrote:

Hi Breno, OK thanks for that. FYI I知 on holiday from tomorrow until 12 August, I don稚 think I値l get time to look at this before that. I will do the update to 2.7.5 ASAP on my return.

Thanks for your help, I値l also feedback to the mod_ruid2 dev that you already use ap_hook_log_transaction().

From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: 24 July 2013 18:48


To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

Ben,

I will send you a code for testing.

We already useap_hook_log_transactionfor logging phase.

Thanks

Breno

On Wed, Jul 24, 2013 at 1:22 PM, Ben Empson <ben@arrayx.co.uk> wrote:

Hi Breno, sorry, this is confusing. You seem to be referring to *my* umask (I知 logging in as root). However, I知 using Apache with mod_ruid2, mod_ruid2 changes the process owner in Apache for each request to the user associated with the website account (in cPanel).

As such, Apache is creating the audit log folders using the process request owner, which could be a different user for each request. The permissions are 755 because I believe that mod_ruid2 implements that restriction it痴 by design.

The mod_ruid2 developer tells me (here: https://github.com/mind04/mod-ruid2/issues/1) that if mod_security were to use the ap_hook_log_transaction() call in order to write the logs, then by this point mod_ruid2 has returned the process owner to 渡obody and therefore none of the current problems would apply, assuming that 渡obody has write permissions to the audit log folders.

According to the mod_ruid2 dev, mod_security is using some other mechanism to write the logs, which is at a point in the pipeline where the process still has the specific website account owner assigned, and it is this which is causing the permissions problems.

I don稚 know if I知 barking up the wrong tree here, but this is what the mod_ruid2 developer tells me.

Regards, Ben

From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: 24 July 2013 18:06


To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

Hello Ben,

And looks like you tried to change the file/dir permission usingSecAuditLogDirModeandSecAuditLogFileMode.

However it is still being created as 755 permission. It could be related to your umask

So please try to change your umask in your /etc/profile then set above directives as 0777. Start your apache again (make sure your umask has been changed) and let us know what happens with your file/dir permission.

Thanks

Breno

On Wed, Jul 24, 2013 at 12:05 PM, Ben Empson <ben@arrayx.co.uk> wrote:

Hi Breno, sorry but I don稚 understand what you mean by 添ou can try to set it into /etc/profile ?

Also, I知 not clear on what you池e demonstrating with your example below. Also in my setup logs are created by the first user which tries to log, since that user creates the directory and has permissions on it. However any subsequent users are unable to log to the same directory since they do not have permissions.

Regards, Ben

From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: 22 July 2013 14:08


To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

Ben,

You can try to set it into /etc/profile ?

It works for me :

root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130720/20130720-1140/20130720-114050-UerZscCoAGUAAFcXJFcAAAAe

194655 4 -rwxrwxrwx 1 www-data www-data 3342 2013-07-22 11:40 /var/log/apache2/20130722/20130722-1140/20130722-114050-UerZscCoAGUAAFcXJFcAAAAe

On Mon, Jul 22, 2013 at 12:07 AM, Ben Empson <ben@arrayx.co.uk> wrote:

Hi Breno,

I tried:

SecAuditLogDirMode 0000
SecAuditLogFileMode 0000

But on Apache restart I got the following error: 溺odSecurity: Invalid value for SecAuditLogDirMode: 0000. So I reset these 2 values to 0777.

Then I went to /var/asl/data and did

umask 0000

However I知 still getting errors in the Apache log: 溺odSecurity: Audit log: Failed to create file: /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK (Permission denied)

Note that the first website to get an error in each minute creates the audit folder and there are logs for that site. However any subsequent requests for other websites (and therefore users) get the error above since they don稚 have write permissions, eg:

drwxr-xr-x 2 use11 use11 4096 Jul 22 07:55 20130722-0755/

drwxr-xr-x 2 use22 use22 4096 Jul 22 07:56 20130722-0756/

Regards, Ben


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php