Thread: [mod-security-users] suExec doesn't work using SecChroot
Brought to you by:
victorhora,
zimmerletw
From: Marco S. <la...@gm...> - 2007-06-25 14:51:53
|
Hi all, I have the same problem described on this thread: http://osdir.com/ml/apache.mod-security.user/2005-10/msg00009.html The only difference is the invalid uid, 81 on my system (apache group on gentoo). After googling around I wasn't able to find a solution. If you need any additional information besides posted thread, just ask me :) Thanks in advance, -- Marco Squarcina >|< www.minimalblue.com >|< GPG key: 6E47BFC5 |
From: Christian B. <ch...@jw...> - 2007-06-25 14:58:50
|
Hi Marco! Am 25.06.2007 um 16:52 schrieb Marco Squarcina: > Hi all, > > I have the same problem described on this thread: > http://osdir.com/ml/apache.mod-security.user/2005-10/msg00009.html > > The only difference is the invalid uid, 81 on my system (apache > group on > gentoo). > After googling around I wasn't able to find a solution. > > If you need any additional information besides posted thread, just ask > me :) Just a quick-shot on this: Do you have a valid passwd-file in the tree where you do your chroot into? The thread looks like there was a failure on looking up the uid, so maybe the passwd wasn't accessible from within the chroot? Regards, Chris |
From: Marco S. <la...@gm...> - 2007-06-25 15:16:49
|
Hi Chris, thank you for the really *fast* reply :) On Mon, Jun 25, 2007 at 04:58:39PM +0200, Christian Bockermann wrote: > Do you have a valid passwd-file in the tree where you do your chroot > into? > The thread looks like there was a failure on looking up the uid, so > maybe > the passwd wasn't accessible from within the chroot? Yes, I did cp -a /etc/passwd /chroot/apache/etc/ cp -a /etc/group /chroot/apache/etc/ So it should be okay... Thanks! -- Marco Squarcina >|< www.minimalblue.com >|< GPG key: 6E47BFC5 |
From: Marco S. <la...@gm...> - 2007-06-25 15:30:29
|
On Mon, Jun 25, 2007 at 05:22:16PM +0200, Christian Bockermann wrote: > > Am 25.06.2007 um 17:16 schrieb Marco Squarcina: > > >Hi Chris, > >thank you for the really *fast* reply :) > > As I said - it was a quick shot ;-) > > >On Mon, Jun 25, 2007 at 04:58:39PM +0200, Christian Bockermann wrote: > >>Do you have a valid passwd-file in the tree where you do your chroot > >>into? > >>The thread looks like there was a failure on looking up the uid, so > >>maybe > >>the passwd wasn't accessible from within the chroot? > > > >Yes, I did > > cp -a /etc/passwd /chroot/apache/etc/ > > cp -a /etc/group /chroot/apache/etc/ > > > >So it should be okay... > > > Did you check the shared-libs of suexec? > Try > > ldd /path/to/your/suexec > > This will reveal a list of shared libraries that suexec relies on. > (Don't know how firm you are on chroots, so don't blame me if you > already did so. ;-) ) Yep, I did it: nebula / # ldd /usr/sbin/suexec2 linux-gate.so.1 => (0x500bf000) libpthread.so.0 => /lib/tls/libpthread.so.0 (0x500a3000) libc.so.6 => /lib/tls/libc.so.6 (0x4ff78000) /lib/ld-linux.so.2 (0x500c0000) nebula / # ls /chroot/apache/lib/tls/ -la total 1416 drwxr-xr-x 2 root root 4096 Jun 25 12:50 . drwxr-xr-x 3 root root 4096 Jun 25 14:57 .. -rwxr-xr-x 1 root root 1299536 Jun 25 12:50 libc.so.6 -rwxr-xr-x 1 root root 129340 Jun 25 12:50 libpthread.so.0 nebula / # ls /chroot/apache/lib/ -la total 444 drwxr-xr-x 3 root root 4096 Jun 25 14:57 . drwxr-xr-x 10 root root 4096 Jun 25 14:37 .. -rwxr-xr-x 1 root root 127020 Jun 25 12:51 ld-linux.so.2 -rwxr-xr-x 1 root root 22456 Jun 25 14:57 libcrypt.so.1 -rwxr-xr-x 1 root root 10652 Jun 25 14:56 libdl.so.2 -rwxr-xr-x 1 root root 164956 Jun 25 14:57 libm.so.6 -rwxr-xr-x 1 root root 78152 Jun 25 14:56 libnsl.so.1 -rwxr-xr-x 1 root root 10240 Jun 25 14:57 libutil.so.1 drwxr-xr-x 2 root root 4096 Jun 25 12:50 tls nebula / # ls /chroot/apache/usr/sbin/ -la total 24 drwxr-xr-x 2 root root 4096 Jun 25 14:44 . drwxr-xr-x 5 root root 4096 Jun 25 14:36 .. -rws--x--- 1 root apache 14196 Jun 17 20:44 suexec2 Looks nice :) -- Marco Squarcina >|< www.minimalblue.com >|< GPG key: 6E47BFC5 |
From: Christian B. <ch...@jw...> - 2007-06-25 15:41:29
|
I have to admit, that I am jumping off when it comes to tracking this done on the strace/source-level, but Brian might probably want to give it a go ;-) Things that might be interesting are: - What ModSec-Version are you working with? - Can you strace your apache-startup? Or does it fail as in the thread? - Did you try to chroot your apache using the non-modsecurity way? If this works, then we can at least be sure its ModSec that causes problems ;-) Regards, Chris Am 25.06.2007 um 17:30 schrieb Marco Squarcina: > On Mon, Jun 25, 2007 at 05:22:16PM +0200, Christian Bockermann wrote: >> >> Am 25.06.2007 um 17:16 schrieb Marco Squarcina: >> >>> Hi Chris, >>> thank you for the really *fast* reply :) >> >> As I said - it was a quick shot ;-) >> >>> On Mon, Jun 25, 2007 at 04:58:39PM +0200, Christian Bockermann >>> wrote: >>>> Do you have a valid passwd-file in the tree where you do your >>>> chroot >>>> into? >>>> The thread looks like there was a failure on looking up the uid, so >>>> maybe >>>> the passwd wasn't accessible from within the chroot? >>> >>> Yes, I did >>> cp -a /etc/passwd /chroot/apache/etc/ >>> cp -a /etc/group /chroot/apache/etc/ >>> >>> So it should be okay... >> >> >> Did you check the shared-libs of suexec? >> Try >> >> ldd /path/to/your/suexec >> >> This will reveal a list of shared libraries that suexec relies on. >> (Don't know how firm you are on chroots, so don't blame me if you >> already did so. ;-) ) > > Yep, I did it: > > nebula / # ldd /usr/sbin/suexec2 > linux-gate.so.1 => (0x500bf000) > libpthread.so.0 => /lib/tls/libpthread.so.0 (0x500a3000) > libc.so.6 => /lib/tls/libc.so.6 (0x4ff78000) > /lib/ld-linux.so.2 (0x500c0000) > nebula / # ls /chroot/apache/lib/tls/ -la > total 1416 > drwxr-xr-x 2 root root 4096 Jun 25 12:50 . > drwxr-xr-x 3 root root 4096 Jun 25 14:57 .. > -rwxr-xr-x 1 root root 1299536 Jun 25 12:50 libc.so.6 > -rwxr-xr-x 1 root root 129340 Jun 25 12:50 libpthread.so.0 > nebula / # ls /chroot/apache/lib/ -la > total 444 > drwxr-xr-x 3 root root 4096 Jun 25 14:57 . > drwxr-xr-x 10 root root 4096 Jun 25 14:37 .. > -rwxr-xr-x 1 root root 127020 Jun 25 12:51 ld-linux.so.2 > -rwxr-xr-x 1 root root 22456 Jun 25 14:57 libcrypt.so.1 > -rwxr-xr-x 1 root root 10652 Jun 25 14:56 libdl.so.2 > -rwxr-xr-x 1 root root 164956 Jun 25 14:57 libm.so.6 > -rwxr-xr-x 1 root root 78152 Jun 25 14:56 libnsl.so.1 > -rwxr-xr-x 1 root root 10240 Jun 25 14:57 libutil.so.1 > drwxr-xr-x 2 root root 4096 Jun 25 12:50 tls > nebula / # ls /chroot/apache/usr/sbin/ -la > total 24 > drwxr-xr-x 2 root root 4096 Jun 25 14:44 . > drwxr-xr-x 5 root root 4096 Jun 25 14:36 .. > -rws--x--- 1 root apache 14196 Jun 17 20:44 suexec2 > > Looks nice :) > -- > Marco Squarcina >|< www.minimalblue.com >|< GPG key: 6E47BFC5 > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Marco S. <la...@gm...> - 2007-06-25 15:53:18
|
On Mon, Jun 25, 2007 at 05:41:13PM +0200, Christian Bockermann wrote: > > I have to admit, that I am jumping off when it comes to tracking this > done on the strace/source-level, but Brian might probably want to > give it a go ;-) > > Things that might be interesting are: > > - What ModSec-Version are you working with? apache-2.0.58 mod_security-2.1.1 > - Can you strace your apache-startup? Or does it fail as in the > thread? I'll try to do it. I hoped this issue to be a "well known problem already fixed" :P > - Did you try to chroot your apache using the non-modsecurity way? > If this works, then we can at least be sure its ModSec that > causes problems ;-) Nope, I really can't do a standard chroot for apache right now :( Anyway when loading apache without modsec (and without chroot so) suExec works fine... Thanks! -- Marco Squarcina >|< www.minimalblue.com >|< GPG key: 6E47BFC5 |
From: Marco S. <la...@gm...> - 2007-06-25 16:37:01
|
On Mon, Jun 25, 2007 at 05:41:13PM +0200, Christian Bockermann wrote: > [...] > - Can you strace your apache-startup? Or does it fail as in the > thread? Ok I managed to get a strace. I'm not good at all doing this kind of things, so I apologize if I did something wrong: strace command: strace -f -o apache.pid /usr/sbin/apache2 -D DEFAULT_VHOST \ -D PHP5 -D SECURITY -d /usr/lib/apache2 \ -f /etc/apache2/httpd.conf -k start strace output: http://www.minimalblue.com/apache.pid Thanks for your help :) -- Marco Squarcina >|< www.minimalblue.com >|< GPG key: 6E47BFC5 |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-06-25 16:47:34
|
I saw this entry in the strace output - 13591 open("/var/log/apache2/suexec_log", O_WRONLY|O_APPEND|O_CREAT, 0666) =3D -1 EACCES (Permission denied) 13591 write(2, "failed to open log file\n", 24) =3D 24 Do you have the directory and suexec_log in the chroot structure and with the appropriate permissions? --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Marco Squarcina > Sent: Monday, June 25, 2007 12:37 PM > To: Christian Bockermann > Cc: Mod Security > Subject: Re: [mod-security-users] suExec doesn't work using SecChroot >=20 > On Mon, Jun 25, 2007 at 05:41:13PM +0200, Christian Bockermann wrote: > > [...] > > - Can you strace your apache-startup? Or does it fail as in the > > thread? >=20 > Ok I managed to get a strace. I'm not good at all doing this kind of > things, so I apologize if I did something wrong: >=20 > strace command: > strace -f -o apache.pid /usr/sbin/apache2 -D DEFAULT_VHOST \ > -D PHP5 -D SECURITY -d /usr/lib/apache2 \ > -f /etc/apache2/httpd.conf -k start >=20 > strace output: > http://www.minimalblue.com/apache.pid >=20 > Thanks for your help :) > -- > Marco Squarcina >|< www.minimalblue.com >|< GPG key: 6E47BFC5 >=20 >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Marco S. <la...@gm...> - 2007-06-25 16:53:51
|
On Mon, Jun 25, 2007 at 12:51:47PM -0400, Ryan Barnett wrote: > I saw this entry in the strace output - > > 13591 open("/var/log/apache2/suexec_log", O_WRONLY|O_APPEND|O_CREAT, > 0666) = -1 EACCES (Permission denied) > 13591 write(2, "failed to open log file\n", 24) = 24 > > Do you have the directory and suexec_log in the chroot structure and > with the appropriate permissions? I should have it: nebula ~ # ls -la /chroot/apache/var/log/apache2/ total 12 drwxr-xr-x 2 root root 4096 Jun 25 18:01 . drwxr-xr-x 3 root root 4096 Jun 25 14:45 .. -rw-r--r-- 1 root apache 282 Jun 25 18:37 suexec_log Even because suexec is able to write stuff there: [2007-06-25 16:37:02]: crit: invalid uid: (81) Cheers, -- Marco Squarcina >|< www.minimalblue.com >|< GPG key: 6E47BFC5 |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-06-25 16:57:19
|
> -----Original Message----- > From: Marco Squarcina [mailto:la...@gm...] > Sent: Monday, June 25, 2007 12:54 PM > To: Ryan Barnett > Cc: Mod Security > Subject: Re: [mod-security-users] suExec doesn't work using SecChroot >=20 > On Mon, Jun 25, 2007 at 12:51:47PM -0400, Ryan Barnett wrote: > > I saw this entry in the strace output - > > > > 13591 open("/var/log/apache2/suexec_log", O_WRONLY|O_APPEND|O_CREAT, > > 0666) =3D -1 EACCES (Permission denied) > > 13591 write(2, "failed to open log file\n", 24) =3D 24 > > > > Do you have the directory and suexec_log in the chroot structure and > > with the appropriate permissions? >=20 > I should have it: >=20 > nebula ~ # ls -la /chroot/apache/var/log/apache2/ > total 12 > drwxr-xr-x 2 root root 4096 Jun 25 18:01 . > drwxr-xr-x 3 root root 4096 Jun 25 14:45 .. > -rw-r--r-- 1 root apache 282 Jun 25 18:37 suexec_log >=20 > Even because suexec is able to write stuff there: > [2007-06-25 16:37:02]: crit: invalid uid: (81) [Ryan Barnett] Looking at the strace output, it looks as though the uid 81 (apache?) is attempting to open the suexec_log file to write to it however the permissions you are showing only allow root to write to it. Even the apache group permissions are read only. |
From: Marco S. <la...@gm...> - 2007-06-25 17:17:33
|
On Mon, Jun 25, 2007 at 01:01:45PM -0400, Ryan Barnett wrote: > [Ryan Barnett] Looking at the strace output, it looks as though the uid > 81 (apache?) is attempting to open the suexec_log file to write to it > however the permissions you are showing only allow root to write to it. > Even the apache group permissions are read only. I chmod 777 that file, but I still get the same error. You can find the new strace here: http://www.minimalblue.com/apache.pid Thanks! -- Marco Squarcina >|< www.minimalblue.com >|< GPG key: 6E47BFC5 |
From: Christian B. <ch...@jw...> - 2007-06-25 17:24:28
|
Marco Squarcina schrieb: > On Mon, Jun 25, 2007 at 01:01:45PM -0400, Ryan Barnett wrote: >> [Ryan Barnett] Looking at the strace output, it looks as though the uid >> 81 (apache?) is attempting to open the suexec_log file to write to it >> however the permissions you are showing only allow root to write to it. >> Even the apache group permissions are read only. > > I chmod 777 that file, but I still get the same error. > You can find the new strace here: > http://www.minimalblue.com/apache.pid > > Thanks! This looks like you're still missing some files in your chroot-env to me. You will probably need libnss_compat.so.2 for resolving uids within chroot. 13958 open("/lib/tls/i686/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) 13958 stat64("/lib/tls/i686", 0x5c308584) = -1 ENOENT (No such file or directory) 13958 open("/lib/tls/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) 13958 stat64("/lib/tls", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 13958 open("/lib/i686/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) 13958 stat64("/lib/i686", 0x5c308584) = -1 ENOENT (No such file or directory) 13958 open("/lib/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) ... Regards, Chris |
From: Marco S. <la...@gm...> - 2007-06-25 17:36:34
|
On Mon, Jun 25, 2007 at 07:24:09PM +0200, Christian Bockermann wrote: > This looks like you're still missing some files in your chroot-env to > me. You will probably need > > libnss_compat.so.2 > > for resolving uids within chroot. > > > 13958 open("/lib/tls/i686/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No > such file or directory) > 13958 stat64("/lib/tls/i686", 0x5c308584) = -1 ENOENT (No such file or > directory) > 13958 open("/lib/tls/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such > file or directory) > 13958 stat64("/lib/tls", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 > 13958 open("/lib/i686/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No > such file or directory) > 13958 stat64("/lib/i686", 0x5c308584) = -1 ENOENT (No such file or > directory) > 13958 open("/lib/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such > file or directory) > ... Chris, thank you *so* much. That was the problem, now suExec works fine! Thanks everybody, I really appreciated all your help :) -- Marco Squarcina >|< www.minimalblue.com >|< GPG key: 6E47BFC5 |