Re: [Mod-security-developers] Compatibility with mod_ruid2
Brought to you by:
victorhora,
zimmerletw
From: Breno S. <bre...@gm...> - 2013-07-24 18:17:21
|
Hello Ben, This is what i'm trying to do as a test. Let me know if the config is similar is your side: httpd.conf: Rmode config RuidGid www-data www-data Rgroups brenosilva virtual-host.conf: RuidGid brenosilva www-data and RuidGid www-data www-data modsecurity.conf: SecAuditLogDirMode 0777 SecAuditLogFileMode 0777 SecAuditLogStorageDir /var/log/apache2 then i set umask 000 during apache runtime ls -lisa /var/log/apache2/* 196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 . 188049 4 drwxrwxrwx 3 root root 4096 2013-07-22 23:24 .. 196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 20130722-2324 196267 4 drwxrwxrwx 2 www-data www-data 4096 2013-07-22 23:25 20130722-2325 No more permission denied errors. For sure 777 is not the best solution :) .... but i think is possible to do the same concept using 770 permission. Breno On Wed, Jul 24, 2013 at 2:01 PM, Breno Silva <bre...@gm...> wrote: > Ben, > > I can try it here. I already installed mod_ruid2. Could you please send me > your mod_ruid2 config ? Then i can reproduce. > > Thanks > > > On Wed, Jul 24, 2013 at 1:53 PM, Ben Empson <be...@ar...> wrote: > >> Hi Breno, OK thanks for that. FYI I’m on holiday from tomorrow until 12 >> August, I don’t think I’ll get time to look at this before that. I will do >> the update to 2.7.5 ASAP on my return.**** >> >> ** ** >> >> Thanks for your help, I’ll also feedback to the mod_ruid2 dev that you >> already use ap_hook_log_transaction().**** >> >> ** ** >> >> *From:* Breno Silva [mailto:bre...@gm...] >> *Sent:* 24 July 2013 18:48 >> >> *To:* mod-security-developers >> *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** >> >> ** ** >> >> Ben,**** >> >> ** ** >> >> Please download the 2.7.5 candidate tarball: >> https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.5.tar.gz >> **** >> >> ** ** >> >> I will send you a code for testing.**** >> >> ** ** >> >> We already use ap_hook_log_transaction for logging phase. **** >> >> ** ** >> >> Thanks**** >> >> ** ** >> >> Breno**** >> >> ** ** >> >> On Wed, Jul 24, 2013 at 1:22 PM, Ben Empson <be...@ar...> wrote:**** >> >> Hi Breno, sorry, this is confusing. You seem to be referring to **my** >> umask (I’m logging in as root). However, I’m using Apache with mod_ruid2, >> mod_ruid2 changes the process owner in Apache for each request to the user >> associated with the website account (in cPanel).**** >> >> **** >> >> As such, Apache is creating the audit log folders using the process >> request owner, which could be a different user for each request. The >> permissions are 755 because I believe that mod_ruid2 implements that >> restriction – it’s by design.**** >> >> **** >> >> The mod_ruid2 developer tells me (here: >> https://github.com/mind04/mod-ruid2/issues/1) that if mod_security were >> to use the ap_hook_log_transaction() call in order to write the logs, then >> by this point mod_ruid2 has returned the process owner to “nobody” and >> therefore none of the current problems would apply, assuming that “nobody” >> has write permissions to the audit log folders.**** >> >> **** >> >> According to the mod_ruid2 dev, mod_security is using some other >> mechanism to write the logs, which is at a point in the pipeline where the >> process still has the specific website account owner assigned, and it is >> this which is causing the permissions problems.**** >> >> **** >> >> I don’t know if I’m barking up the wrong tree here, but this is what the >> mod_ruid2 developer tells me.**** >> >> **** >> >> Regards, Ben**** >> >> **** >> >> **** >> >> *From:* Breno Silva [mailto:bre...@gm...] >> *Sent:* 24 July 2013 18:06**** >> >> >> *To:* mod-security-developers >> *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** >> >> **** >> >> Hello Ben,**** >> >> **** >> >> I was looking to your debug info : >> https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 >> **** >> >> **** >> >> And looks like you tried to change the file/dir permission using >> SecAuditLogDirMode and SecAuditLogFileMode.**** >> >> However it is still being created as 755 permission. It could be related >> to your umask**** >> >> **** >> >> So please try to change your umask in your /etc/profile then set above >> directives as 0777. Start your apache again (make sure your umask has been >> changed) and let us know what happens with your file/dir permission.**** >> >> **** >> >> Thanks**** >> >> **** >> >> Breno**** >> >> **** >> >> On Wed, Jul 24, 2013 at 12:05 PM, Ben Empson <be...@ar...> wrote:*** >> * >> >> Hi Breno, sorry but I don’t understand what you mean by “You can try to >> set it into /etc/profile ?”**** >> >> **** >> >> Also, I’m not clear on what you’re demonstrating with your example below. >> Also in my setup logs are created by the first user which tries to log, >> since that user creates the directory and has permissions on it. However >> any subsequent users are unable to log to the same directory since they do >> not have permissions.**** >> >> **** >> >> Regards, Ben**** >> >> **** >> >> *From:* Breno Silva [mailto:bre...@gm...] >> *Sent:* 22 July 2013 14:08**** >> >> >> *To:* mod-security-developers >> *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** >> >> **** >> >> Ben,**** >> >> **** >> >> You can try to set it into /etc/profile ?**** >> >> It works for me :**** >> >> **** >> >> root@ubuntu:/home/brenosilva# ls -lisa >> /var/log/apache2/20130720/20130720-1140/20130720-114050-UerZscCoAGUAAFcXJFcAAAAe >> **** >> >> 194655 4 -rwxrwxrwx 1 www-data www-data 3342 2013-07-22 11:40 >> /var/log/apache2/20130722/20130722-1140/20130722-114050-UerZscCoAGUAAFcXJFcAAAAe >> **** >> >> **** >> >> **** >> >> On Mon, Jul 22, 2013 at 12:07 AM, Ben Empson <be...@ar...> wrote:*** >> * >> >> Hi Breno, **** >> >> **** >> >> I tried:**** >> >> SecAuditLogDirMode 0000 >> SecAuditLogFileMode 0000**** >> >> But on Apache restart I got the following error: “ModSecurity: Invalid >> value for SecAuditLogDirMode: 0000”. So I reset these 2 values to 0777.** >> ** >> >> **** >> >> Then I went to /var/asl/data and did**** >> >> **** >> >> umask 0000**** >> >> **** >> >> However I’m still getting errors in the Apache log: “ModSecurity: Audit >> log: Failed to create file: >> /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK(Permission denied)” >> **** >> >> **** >> >> Note that the first website to get an error in each minute creates the >> audit folder and there are logs for that site. However any subsequent >> requests for other websites (and therefore users) get the error above since >> they don’t have write permissions, eg:**** >> >> **** >> >> drwxr-xr-x 2 use11 use11 4096 Jul 22 07:55 20130722-0755/**** >> >> drwxr-xr-x 2 use22 use22 4096 Jul 22 07:56 20130722-0756/**** >> >> **** >> >> Regards, Ben**** >> >> **** >> >> >> >> ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php**** >> >> **** >> >> >> >> ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php**** >> >> ** ** >> >> >> ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php >> > > |