|
From: Steve W. <swh...@ge...> - 2008-01-25 23:35:19
|
Most excellent, and thank you! I'll implement your instructions after installing the 2.1.6 release. Upon a quick glnce, I think I've already got everything in place except for the SecUploadFileMode directive. Using the clamav daemon to scan uploaded files is much quicker than the command-line client. Looks like the SecUploadFileMode directive is just what we needed. Thanks, Steve Whitlatch On Friday 25 January 2008 10:20, Brian Rectanus wrote: > Hi Steve, > > The default permissions for creating a temp file is hard-coded to 0600 > (-rw-------) in most implementations of mkstemp (used to securly create > unique temp files) and it will be owned by the user/group running the > httpd processes (httpd_user/httpd_group) unless the SecTmpDir has > correct group/permissions set. A while back the permissions for mkstemp > files was 0666, but was changed to 0600 for security reasons. This > change made it impossible to do what you want in ModSecurity. > > > In order to allow flexibility for the file permissions here I have added > a SecUploadFileMode directive to set the mode (permissions) on uploaded > files explicitly. This new functionality will be in the next > ModSecurity versions 2.1.6 and 2.5.0. In the mean time I can give you a > patch to whatever version you are using if you want. > > Here is what you will need to do (you have already done most of it): > > 1) ModSecurity uploads to the SecTmpDir directory. You should create > and set this to a directory which is only used for ModSecurity. This > directory should be writable by the httpd_user user and readable by the > clamav group. The group sticky bit should be set on the directory as > well (makes new files have the directory's group). > > In your case this was: > > mkdir /tmp/webfiles > chown httpd_user:clamav /tmp/webfiles > chmod 2750 /tmp/webfiles > > Which would create something like this: > > drwxr-s--- 3 httpd_user clamav 4096 2008-01-25 08:51 /tmp/webfiles > > The important thing above is the (group r-s) for the directory and the > clamav group. > > 2) Set the SecTmpDir and SecUploadDir directories in ModSecurity: > > In your case you had: > > SecTmpDir /tmp/webfiles > SecUploadDir /tmp/webfiles > > 3) Additionally set the new SecUploadFileMode to get the permissions > that you want. > > In your case you probably want the clamav group to read and write > (delete) the files: > > SecUploadFileMode 0660 > > The result should be files created like this: > > -rw-rw---- 1 httpd_user clamav 164 2008-01-25 08:51 > /tmp/webfiles/20080125-085112-xBD8tX8AAQEAABsNR0wAAAAA-file-h2zQe8 > > > Hopefully that made sense. If not, let me know. :) > > thanks, > -B > > Ivan Ristic wrote: > > Hi Steve, > > > > Thank you for your in-depth analysis of the problem. I am sorry we > > didn't meet your expectations when it comes to response speed. > > > > It's possible that this feature (relaxed permissions) had been broken > > somewhere down the line. I've looked at the code briefly and it looks > > to me we again need to relax file permissions for the files extracted > > from requests. I (or Brian) will look into it and get back to you > > (here, on the list). > > > > On Jan 19, 2008 9:27 PM, Steve Whitlatch <swh...@ge...> wrote: > >> Hello mod-security-users, > >> > >> I've got mod_security2 installed and working. Thank you to the > >> developers. > >> > >> I'm mostly using the rules files shipped in the source package. It's > >> working good, I think, except I don't know what to do to allow clamdscan > >> (the daemon, not the command-line client) to access uploaded files via > >> the modsec-clamscan.pl script. It works using the command-line client, > >> but that's too slow. > >> > >> My question is: What must I do to properly configure file permissions so > >> that I can use mod_security2 and clamdscan to scan uploaded files? > >> > >> Information > >> ----------- > >> * clamav, clamd, etc. are installed and running correctly as per the > >> clamav installation instructions. > >> > >> * The modsec-clamscan.pl script I'm using is the one shipped in the > >> mod_security version 1.9.5 source package. > >> > >> * When using clamscan instead of clamdscan, that is: > >> > >> '$CLAMSCAN = "/usr/local/bin/clamscan";' > >> > >> it works fine. However, when using clamdscan, that is: > >> > >> '$CLAMSCAN = "/usr/local/bin/clamdscan";' > >> > >> in the modsec_audit.log, I always get a message similar to the > >> following: > >> > >> ******* > >> Message: Warning. File \ > >> "/tmp/webfiles/20080119-130031-tgz@An8AAAEAAAvcXIUAAAAH-file-KH1j8W" > >> \ rejected by the approver script \ > >> "/usr/local/apache2/bin/modsec-clamscan.pl":0 clamscan: Access > >> denied. [. . .] > >> Producer: ModSecurity v2.1.3 (Apache 2.x) > >> [. . .] > >> ********* > >> > >> * The uploaded files are written to disk with the following > >> permissions: -rw------- 1 httpd_user httpd_group > >> > >> * The clamd daemon runs as the user: > >> clamav > >> > >> * The relevant SecRule in use is: > >> > >> SecRule FILES_TMPNAMES "@inspectFile \ > >> /usr/local/apache2/bin/modsec-clamscan.pl" "t:none" > >> > >> * I've read the relevant portions of the 1.9.x ModSecurity for Apache > >> User Guide, sections "Interacting with other daemons" and > >> "Integration with ClamAV". The tmp directory and its permissions > >> are created accordingly, that is: > >> > >> # mkdir /tmp/webfiles > >> # chown httpd_user:clamav /tmp/webfiles > >> # chmod 2750 /tmp/webfiles > >> > >> and I am using: > >> > >> SecUploadDir /tmp/webfiles > >> SecDataDir /tmp/webfiles > >> SecTmpDir /tmp/webfiles > >> > >> ----------- > >> > >> Thoughts > >> -------- > >> Previous versions of the ModSecurity for Apache User Guide discuss the > >> permissions issue and state: > >> > >> "To allow for interaction with other daemons (for example ClamAV, as > >> described later), as of 1.9dev1 files are created with relaxed > > > > permissions > > > >> allowing group read. To do this assuming Apache runs as httpd and > >> daemon as clamav [. . .] > >> > >> But that appears to no longer be the case. Upon inspection, > > > > mod_security is > > > >> creating the files with the following permissions: > >> > >> -rw------- 1 httpd_user httpd_group > >> > >> So, no group read. And if the files were to be written with group read, > >> there is the issue of which group that would be. It is currently not > >> clamav. And even if the group were clamav, there is the issue of Apache > >> needing to run with its group being something other than clamav. > >> > >> Solutions? Suggestions? If anyone actually has mod_security2 scanning > >> uploads with clamdscan (the daemon, not "clamscan", the command-line > >> client), please share how you did that. > >> > >> Thanks, > >> > >> Steve Whitlatch > >> > >> ------------------------------------------------------------------------ > >>- This SF.net email is sponsored by: Microsoft > >> Defy all challenges. Microsoft(R) Visual Studio 2008. > >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > -- > > Ivan Ristic > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
