|
From: Brian R. <Bri...@br...> - 2008-01-25 17:20:33
|
Hi Steve, The default permissions for creating a temp file is hard-coded to 0600 (-rw-------) in most implementations of mkstemp (used to securly create unique temp files) and it will be owned by the user/group running the httpd processes (httpd_user/httpd_group) unless the SecTmpDir has correct group/permissions set. A while back the permissions for mkstemp files was 0666, but was changed to 0600 for security reasons. This change made it impossible to do what you want in ModSecurity. In order to allow flexibility for the file permissions here I have added a SecUploadFileMode directive to set the mode (permissions) on uploaded files explicitly. This new functionality will be in the next ModSecurity versions 2.1.6 and 2.5.0. In the mean time I can give you a patch to whatever version you are using if you want. Here is what you will need to do (you have already done most of it): 1) ModSecurity uploads to the SecTmpDir directory. You should create and set this to a directory which is only used for ModSecurity. This directory should be writable by the httpd_user user and readable by the clamav group. The group sticky bit should be set on the directory as well (makes new files have the directory's group). In your case this was: mkdir /tmp/webfiles chown httpd_user:clamav /tmp/webfiles chmod 2750 /tmp/webfiles Which would create something like this: drwxr-s--- 3 httpd_user clamav 4096 2008-01-25 08:51 /tmp/webfiles The important thing above is the (group r-s) for the directory and the clamav group. 2) Set the SecTmpDir and SecUploadDir directories in ModSecurity: In your case you had: SecTmpDir /tmp/webfiles SecUploadDir /tmp/webfiles 3) Additionally set the new SecUploadFileMode to get the permissions that you want. In your case you probably want the clamav group to read and write (delete) the files: SecUploadFileMode 0660 The result should be files created like this: -rw-rw---- 1 httpd_user clamav 164 2008-01-25 08:51 /tmp/webfiles/20080125-085112-xBD8tX8AAQEAABsNR0wAAAAA-file-h2zQe8 Hopefully that made sense. If not, let me know. :) thanks, -B Ivan Ristic wrote: > Hi Steve, > > Thank you for your in-depth analysis of the problem. I am sorry we > didn't meet your expectations when it comes to response speed. > > It's possible that this feature (relaxed permissions) had been broken > somewhere down the line. I've looked at the code briefly and it looks > to me we again need to relax file permissions for the files extracted > from requests. I (or Brian) will look into it and get back to you > (here, on the list). > > > On Jan 19, 2008 9:27 PM, Steve Whitlatch <swh...@ge...> wrote: >> Hello mod-security-users, >> >> I've got mod_security2 installed and working. Thank you to the developers. >> >> I'm mostly using the rules files shipped in the source package. It's >> working good, I think, except I don't know what to do to allow clamdscan >> (the daemon, not the command-line client) to access uploaded files via >> the modsec-clamscan.pl script. It works using the command-line client, >> but that's too slow. >> >> My question is: What must I do to properly configure file permissions so >> that I can use mod_security2 and clamdscan to scan uploaded files? >> >> Information >> ----------- >> * clamav, clamd, etc. are installed and running correctly as per the >> clamav installation instructions. >> >> * The modsec-clamscan.pl script I'm using is the one shipped in the >> mod_security version 1.9.5 source package. >> >> * When using clamscan instead of clamdscan, that is: >> >> '$CLAMSCAN = "/usr/local/bin/clamscan";' >> >> it works fine. However, when using clamdscan, that is: >> >> '$CLAMSCAN = "/usr/local/bin/clamdscan";' >> >> in the modsec_audit.log, I always get a message similar to the >> following: >> >> ******* >> Message: Warning. File \ >> "/tmp/webfiles/20080119-130031-tgz@An8AAAEAAAvcXIUAAAAH-file-KH1j8W" \ >> rejected by the approver script \ >> "/usr/local/apache2/bin/modsec-clamscan.pl":0 clamscan: Access denied. >> [. . .] >> Producer: ModSecurity v2.1.3 (Apache 2.x) >> [. . .] >> ********* >> >> * The uploaded files are written to disk with the following permissions: >> -rw------- 1 httpd_user httpd_group >> >> * The clamd daemon runs as the user: >> clamav >> >> * The relevant SecRule in use is: >> >> SecRule FILES_TMPNAMES "@inspectFile \ >> /usr/local/apache2/bin/modsec-clamscan.pl" "t:none" >> >> * I've read the relevant portions of the 1.9.x ModSecurity for Apache >> User Guide, sections "Interacting with other daemons" and >> "Integration with ClamAV". The tmp directory and its permissions >> are created accordingly, that is: >> >> # mkdir /tmp/webfiles >> # chown httpd_user:clamav /tmp/webfiles >> # chmod 2750 /tmp/webfiles >> >> and I am using: >> >> SecUploadDir /tmp/webfiles >> SecDataDir /tmp/webfiles >> SecTmpDir /tmp/webfiles >> >> ----------- >> >> Thoughts >> -------- >> Previous versions of the ModSecurity for Apache User Guide discuss the >> permissions issue and state: >> >> "To allow for interaction with other daemons (for example ClamAV, as >> described later), as of 1.9dev1 files are created with relaxed > permissions >> allowing group read. To do this assuming Apache runs as httpd and daemon >> as clamav [. . .] >> >> But that appears to no longer be the case. Upon inspection, > mod_security is >> creating the files with the following permissions: >> >> -rw------- 1 httpd_user httpd_group >> >> So, no group read. And if the files were to be written with group read, >> there is the issue of which group that would be. It is currently not >> clamav. And even if the group were clamav, there is the issue of Apache >> needing to run with its group being something other than clamav. >> >> Solutions? Suggestions? If anyone actually has mod_security2 scanning >> uploads with clamdscan (the daemon, not "clamscan", the command-line >> client), please share how you did that. >> >> Thanks, >> >> Steve Whitlatch >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Microsoft >> Defy all challenges. Microsoft(R) Visual Studio 2008. >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > -- > Ivan Ristic > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > -- Brian Rectanus Breach Security |
