Re: [Mod-security-developers] Compatibility with mod_ruid2

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Breno, here's my configs:

mod_ruid2.conf:
<IfModule mod_ruid2.c>
    RMode config
    RDefaultUidGid nobody nobody
    RUidGid nobody nobody
</IfModule>

httpd.conf
Every virtual host has the following block (obviously with the actual user / group). User and group always have the same name which is the cPanel account name:
<IfModule mod_ruid2.c>
        RMode config
        RUidGid {user} {group}
</IfModule>

modsecurity2.user.conf
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
SecAuditLogType Concurrent
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 20621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyLimit 20621440
SecRequestBodyInMemoryLimit 2062144
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

SecAuditLogDirMode 0777
SecAuditLogFileMode 0777

Include /usr/local/apache/conf/modsec_rules/*asl*.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf #this file is empty

I'm not sure you're testing the same thing as me. You will need to have at least 2 virtual hosts, and you will need to call them in such a way that ModSecurity will generate an audit log in the same minute. It's only under these conditions that the permissions problem arises, otherwise new directories and logs are simply created by a single user and there's no problem. Obviously on a busy server these conditions are easily met.

From: Breno Silva [mailto:bre...@gm...]
Sent: 24 July 2013 20:17
To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

Hello Ben,

This is what i'm trying to do as a test. Let me know if the config is similar is your side:

httpd.conf:
Rmode config
RuidGid www-data www-data
Rgroups brenosilva

virtual-host.conf:
RuidGid brenosilva www-data
and
RuidGid www-data www-data

modsecurity.conf:
SecAuditLogDirMode 0777
SecAuditLogFileMode 0777
SecAuditLogStorageDir /var/log/apache2

then i set umask 000 during apache runtime

ls -lisa /var/log/apache2/*
196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 .
188049 4 drwxrwxrwx 3 root       root     4096 2013-07-22 23:24 ..
196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 20130722-2324
196267 4 drwxrwxrwx 2 www-data   www-data 4096 2013-07-22 23:25 20130722-2325

No more permission denied errors. For sure 777 is not the best solution :) .... but i think is possible to do the same concept using 770 permission.

Breno

On Wed, Jul 24, 2013 at 2:01 PM, Breno Silva <bre...@gm...<mailto:bre...@gm...>> wrote:
Ben,

I can try it here. I already installed mod_ruid2. Could you please send me your mod_ruid2 config ? Then i can reproduce.

Thanks

On Wed, Jul 24, 2013 at 1:53 PM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote:
Hi Breno, OK thanks for that. FYI I'm on holiday from tomorrow until 12 August, I don't think I'll get time to look at this before that. I will do the update to 2.7.5 ASAP on my return.

Thanks for your help, I'll also feedback to the mod_ruid2 dev that you already use ap_hook_log_transaction().

From: Breno Silva [mailto:bre...@gm...<mailto:bre...@gm...>]
Sent: 24 July 2013 18:48

To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

Ben,

Please download the 2.7.5 candidate tarball: https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.5.tar.gz

I will send you a code for testing.

We already use ap_hook_log_transaction  for logging phase.

Thanks

Breno