Thread: [mod-security-users] Mutex errors in chroot Apache
Brought to you by:
victorhora,
zimmerletw
From: Skye P. <sk...@f4...> - 2006-03-30 07:01:39
|
Hi, thanks for mod_security!!!! Made chrooting my Apache2 relatively easy. However I'm getting a lot of these in my httpd-error.log [Wed Mar 29 22:52:29 2006] [notice] mod_security: chroot checkpoint #1 (pid=1599 ppid=1594) [Wed Mar 29 22:52:29 2006] [notice] mod_security/1.9.2 configured [Wed Mar 29 22:52:29 2006] [notice] mod_security: chroot checkpoint #2 (pid=1600 ppid=1) [Wed Mar 29 22:52:29 2006] [notice] mod_security: chroot successful, path=/home [Wed Mar 29 22:52:29 2006] [crit] (2)No such file or directory: mod_rewrite: could not init rewrite log lock in child [Wed Mar 29 22:52:29 2006] [crit] (2)No such file or directory: mod_rewrite: could not init rewrite log lock in child [Wed Mar 29 22:52:29 2006] [error] (2)No such file or directory: Failed to child-init auditlog mutex [Wed Mar 29 22:52:29 2006] [notice] Apache/2.0.55 (FreeBSD) RAQdevil/1.0 mod_ssl/2.0.55 OpenSSL/0.9.7e-p1 configured -- resuming normal operations [Wed Mar 29 22:52:29 2006] [error] (2)No such file or directory: Failed to child-init auditlog mutex [Wed Mar 29 22:52:29 2006] [crit] (2)No such file or directory: mod_rewrite: could not init rewrite log lock in child [Wed Mar 29 22:52:29 2006] [error] (2)No such file or directory: Failed to child-init auditlog mutex [Wed Mar 29 22:52:29 2006] [crit] (2)No such file or directory: mod_rewrite: could not init rewrite log lock in child [Wed Mar 29 22:52:29 2006] [error] (2)No such file or directory: Failed to child-init auditlog mutex [Wed Mar 29 22:52:29 2006] [crit] (2)No such file or directory: mod_rewrite: could not init rewrite log lock in child [Wed Mar 29 22:52:29 2006] [error] (2)No such file or directory: Failed to child-init auditlog mutex ... etc (a pair of these errors for every HTTP request). Any thoughts on this? Google/Yahoo search doesn't turn up anything. apache-2.0.55_2 mod_security-1.9.2 FreeBSD 6.1-PRERELEASE Relevent settings.... SecAuditLog /var/log/www/audit_log SecFilterDebugLog /var/log/www/modsec_debug_log SecChrootDir /home If I change SecFilterDebugLevel from 0 to 9 I do get stuff in in the debug log, and everything else seems to be normal, but the errors are annoying. Thanks, Skye |
From: Ivan R. <iv...@we...> - 2006-03-30 08:02:53
|
Skye Poier wrote: > Hi, thanks for mod_security!!!! Made chrooting my Apache2 relatively easy. > > However I'm getting a lot of these in my httpd-error.log > > [Wed Mar 29 22:52:29 2006] [notice] mod_security: chroot checkpoint #1 (pid=1599 > ppid=1594) > [Wed Mar 29 22:52:29 2006] [notice] mod_security/1.9.2 configured > [Wed Mar 29 22:52:29 2006] [notice] mod_security: chroot checkpoint #2 (pid=1600 > ppid=1) > [Wed Mar 29 22:52:29 2006] [notice] mod_security: chroot successful, path=/home > [Wed Mar 29 22:52:29 2006] [crit] (2)No such file or directory: mod_rewrite: > could not init rewrite log lock in child You've probably left the mod_rewrite log outside the jail and mod_rewrite does not like that. Move it back in. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
From: Skye P. <sk...@f4...> - 2006-03-30 08:40:28
|
Ivan Ristic <ivanr <at> webkreator.com> writes: > > You've probably left the mod_rewrite log outside the jail and > mod_rewrite does not like that. Move it back in. > OK, I tried that. No difference at all. I didn't have RewriteLog on before. The RewriteLog directive is not chrooted (to /home for me), it needed the full path (/home/var/log/rewrite.log) I even tried creating both a /home/var/log/ and a /home/home/var/log just in case it was using the former before chroot and the latter after chroot, no luck. Shouldn't all log files be opened before Apache is chrooted by mod_security? Seems like that is the case. Here's a post I found with someone having the same problem: http://www.telana.com/pipermail/peruser/2005-July/000078.html quote: "it seems RewriteLogLevel 0 isnt enough i commented out the following in mod_rewrite.c, and mod_rewrite still seems to work /* rv = apr_global_mutex_child_init(&rewrite_log_lock, NULL, p); if (rv != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, "mod_rewrite: could not init rewrite log lock in child"); } */ " What is apr_global_mutex_child_init() doing? I guess I'll look through the Apache2 source next. Thanks, Skye |
From: Skye P. <sk...@f4...> - 2006-03-30 09:09:33
|
Investigating the Apache2 source seems to have found the problem. In FreeBSD ports at least, the default APR locking method is APR_USE_FLOCK_SERIALIZE. I'm sure flock() doesn't work well with a chroot() between calls :) I wonder what would happen if the flock fd was pointing at a lockfile inside the chroot jail? The man page doesn't say what happens to open file fds... Looks like mod_security and mod_rewrite are affected at least (both use locking on their log files) Maybe some other default APR locking method (like SysV semaphores) is safe on FreeBSD 6. I recall reading that POSIX semaphores may not be safe with mod_security. Thanks Skye |
From: Ivan R. <iv...@we...> - 2006-03-30 09:54:11
|
Skye Poier wrote: > > What is apr_global_mutex_child_init() doing? > I guess I'll look through the Apache2 source next. Sometimes, after a fork, the child process needs to initialise a mutex in order to be able to access it. This isn't necessary on all platforms but I don't know the details. I've never had a child-access permission problem on Unix. > I recall reading that POSIX semaphores may not be safe with > mod_security. Not that I know of. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
From: Michael G. <mic...@gm...> - 2006-07-21 13:25:18
|
I spent hours debugging this. I finally figured it out. The problem is that a mutex file is being created in /tmp (it looks like: /tmp/aprat6W1c). Then the chroot happens and this file vanishes because it is no longer available within the chroot. What I did to solve this was to mount /tmp within my chroot (which is /home/www) using a nullfs mount: mount -t nullfs /tmp /home/www/tmp A better solution would be to move the apr mutex file into the chroot. Does anyone know how to specify the location of this mutex file manually? Michael Grant |