Re: [Mod-security-developers] Compatibility with mod_ruid2
Brought to you by:
victorhora,
zimmerletw
From: Breno S. <bre...@gm...> - 2013-07-25 12:07:03
|
Hello Ben, I think it it working. Now i set two vhosts one for user: brenosilva and one for user : nobody Then i submit two requests: root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/* total 16 196266 4 drwxrwxrwx 2 nobody www-data 4096 2013-07-25 05:02 . 196265 4 drwxrwxrwx 3 nobody www-data 4096 2013-07-25 05:02 .. 142051 4 -rwxrwxrwx 1 nobody www-data 1658 2013-07-25 05:02 20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD 172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/20130725-0502/20130725-0502* 142051 4 -rwxrwxrwx 1 nobody www-data 1658 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD 172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA Audit log files were create for both users. No permission denied errors. Can you tru reproduce at least this test? Breno On Thu, Jul 25, 2013 at 4:53 AM, Ben Empson <be...@ar...> wrote: > Hi Breno, here’s my configs:**** > > ** ** > > mod_ruid2.conf:**** > > <IfModule mod_ruid2.c>**** > > RMode config**** > > RDefaultUidGid nobody nobody**** > > RUidGid nobody nobody**** > > </IfModule>**** > > ** ** > > httpd.conf**** > > Every virtual host has the following block (obviously with the actual user > / group). User and group always have the same name which is the cPanel > account name:**** > > <IfModule mod_ruid2.c>**** > > RMode config**** > > RUidGid {user} {group}**** > > </IfModule>**** > > ** ** > > modsecurity2.user.conf**** > > SecPcreMatchLimit 50000**** > > SecPcreMatchLimitRecursion 50000**** > > SecAuditLogType Concurrent**** > > SecRequestBodyAccess On**** > > SecResponseBodyAccess On**** > > SecResponseBodyMimeType (null) text/html text/plain text/xml**** > > SecResponseBodyLimit 20621440**** > > SecAuditLogRelevantStatus "^(?:5|4(?!04))"**** > > SecServerSignature Apache**** > > SecUploadDir /var/asl/data/suspicious**** > > SecUploadKeepFiles Off**** > > SecAuditLogParts ABIFHZ**** > > SecArgumentSeparator "&" **** > > SecCookieFormat 0**** > > SecRequestBodyLimit 20621440**** > > SecRequestBodyInMemoryLimit 2062144**** > > SecDataDir /var/asl/data/msa**** > > SecTmpDir /tmp**** > > SecAuditLogStorageDir /var/asl/data/audit**** > > SecResponseBodyLimitAction ProcessPartial**** > > ** ** > > SecAuditLogDirMode 0777**** > > SecAuditLogFileMode 0777**** > > ** ** > > Include /usr/local/apache/conf/modsec_rules/*asl*.conf**** > > Include /usr/local/apache/conf/modsec2.whitelist.conf #this file is empty* > *** > > ** ** > > ** ** > > I’m not sure you’re testing the same thing as me. You will need to have at > least 2 virtual hosts, and you will need to call them in such a way that > ModSecurity will generate an audit log in the same minute. It’s only under > these conditions that the permissions problem arises, otherwise new > directories and logs are simply created by a single user and there’s no > problem. Obviously on a busy server these conditions are easily met.**** > > ** ** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 24 July 2013 20:17 > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > ** ** > > Hello Ben,**** > > ** ** > > This is what i'm trying to do as a test. Let me know if the config is > similar is your side:**** > > ** ** > > httpd.conf:**** > > Rmode config**** > > RuidGid www-data www-data**** > > Rgroups brenosilva**** > > ** ** > > virtual-host.conf:**** > > RuidGid brenosilva www-data**** > > and**** > > RuidGid www-data www-data**** > > ** ** > > modsecurity.conf:**** > > SecAuditLogDirMode 0777**** > > SecAuditLogFileMode 0777**** > > SecAuditLogStorageDir /var/log/apache2**** > > ** ** > > then i set umask 000 during apache runtime**** > > ** ** > > ls -lisa /var/log/apache2/***** > > 196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 .**** > > 188049 4 drwxrwxrwx 3 root root 4096 2013-07-22 23:24 ..**** > > 196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 > 20130722-2324**** > > 196267 4 drwxrwxrwx 2 www-data www-data 4096 2013-07-22 23:25 > 20130722-2325**** > > ** ** > > No more permission denied errors. For sure 777 is not the best solution :) > .... but i think is possible to do the same concept using 770 permission.* > *** > > ** ** > > Breno**** > > ** ** > > ** ** > > ** ** > > ** ** > > On Wed, Jul 24, 2013 at 2:01 PM, Breno Silva <bre...@gm...> > wrote:**** > > Ben,**** > > ** ** > > I can try it here. I already installed mod_ruid2. Could you please send me > your mod_ruid2 config ? Then i can reproduce.**** > > ** ** > > Thanks**** > > ** ** > > On Wed, Jul 24, 2013 at 1:53 PM, Ben Empson <be...@ar...> wrote:**** > > Hi Breno, OK thanks for that. FYI I’m on holiday from tomorrow until 12 > August, I don’t think I’ll get time to look at this before that. I will do > the update to 2.7.5 ASAP on my return.**** > > **** > > Thanks for your help, I’ll also feedback to the mod_ruid2 dev that you > already use ap_hook_log_transaction().**** > > **** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 24 July 2013 18:48**** > > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > **** > > Ben,**** > > **** > > Please download the 2.7.5 candidate tarball: > https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.5.tar.gz* > *** > > **** > > I will send you a code for testing.**** > > **** > > We already use ap_hook_log_transaction for logging phase. **** > > **** > > Thanks**** > > **** > > Breno**** > > **** > > ** ** > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |