Re: [Mod-security-developers] Compatibility with mod_ruid2
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Compatibility with mod_ruid2
|
From: Breno S. <bre...@gm...> - 2013-07-25 12:07:03
|
Hello Ben,
I think it it working. Now i set two vhosts one for user: brenosilva and
one for user : nobody
Then i submit two requests:
root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/*
total 16
196266 4 drwxrwxrwx 2 nobody www-data 4096 2013-07-25 05:02 .
196265 4 drwxrwxrwx 3 nobody www-data 4096 2013-07-25 05:02 ..
142051 4 -rwxrwxrwx 1 nobody www-data 1658 2013-07-25 05:02
20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD
172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02
20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA
root@ubuntu:/home/brenosilva# ls -lisa
/var/log/apache2/20130725/20130725-0502/20130725-0502*
142051 4 -rwxrwxrwx 1 nobody www-data 1658 2013-07-25 05:02
/var/log/apache2/20130725/20130725-0502/20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD
172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02
/var/log/apache2/20130725/20130725-0502/20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA
Audit log files were create for both users. No permission denied errors.
Can you tru reproduce at least this test?
Breno
On Thu, Jul 25, 2013 at 4:53 AM, Ben Empson <be...@ar...> wrote:
> Hi Breno, here’s my configs:****
>
> ** **
>
> mod_ruid2.conf:****
>
> <IfModule mod_ruid2.c>****
>
> RMode config****
>
> RDefaultUidGid nobody nobody****
>
> RUidGid nobody nobody****
>
> </IfModule>****
>
> ** **
>
> httpd.conf****
>
> Every virtual host has the following block (obviously with the actual user
> / group). User and group always have the same name which is the cPanel
> account name:****
>
> <IfModule mod_ruid2.c>****
>
> RMode config****
>
> RUidGid {user} {group}****
>
> </IfModule>****
>
> ** **
>
> modsecurity2.user.conf****
>
> SecPcreMatchLimit 50000****
>
> SecPcreMatchLimitRecursion 50000****
>
> SecAuditLogType Concurrent****
>
> SecRequestBodyAccess On****
>
> SecResponseBodyAccess On****
>
> SecResponseBodyMimeType (null) text/html text/plain text/xml****
>
> SecResponseBodyLimit 20621440****
>
> SecAuditLogRelevantStatus "^(?:5|4(?!04))"****
>
> SecServerSignature Apache****
>
> SecUploadDir /var/asl/data/suspicious****
>
> SecUploadKeepFiles Off****
>
> SecAuditLogParts ABIFHZ****
>
> SecArgumentSeparator "&" ****
>
> SecCookieFormat 0****
>
> SecRequestBodyLimit 20621440****
>
> SecRequestBodyInMemoryLimit 2062144****
>
> SecDataDir /var/asl/data/msa****
>
> SecTmpDir /tmp****
>
> SecAuditLogStorageDir /var/asl/data/audit****
>
> SecResponseBodyLimitAction ProcessPartial****
>
> ** **
>
> SecAuditLogDirMode 0777****
>
> SecAuditLogFileMode 0777****
>
> ** **
>
> Include /usr/local/apache/conf/modsec_rules/*asl*.conf****
>
> Include /usr/local/apache/conf/modsec2.whitelist.conf #this file is empty*
> ***
>
> ** **
>
> ** **
>
> I’m not sure you’re testing the same thing as me. You will need to have at
> least 2 virtual hosts, and you will need to call them in such a way that
> ModSecurity will generate an audit log in the same minute. It’s only under
> these conditions that the permissions problem arises, otherwise new
> directories and logs are simply created by a single user and there’s no
> problem. Obviously on a busy server these conditions are easily met.****
>
> ** **
>
> *From:* Breno Silva [mailto:bre...@gm...]
> *Sent:* 24 July 2013 20:17
>
> *To:* mod-security-developers
> *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2****
>
> ** **
>
> Hello Ben,****
>
> ** **
>
> This is what i'm trying to do as a test. Let me know if the config is
> similar is your side:****
>
> ** **
>
> httpd.conf:****
>
> Rmode config****
>
> RuidGid www-data www-data****
>
> Rgroups brenosilva****
>
> ** **
>
> virtual-host.conf:****
>
> RuidGid brenosilva www-data****
>
> and****
>
> RuidGid www-data www-data****
>
> ** **
>
> modsecurity.conf:****
>
> SecAuditLogDirMode 0777****
>
> SecAuditLogFileMode 0777****
>
> SecAuditLogStorageDir /var/log/apache2****
>
> ** **
>
> then i set umask 000 during apache runtime****
>
> ** **
>
> ls -lisa /var/log/apache2/*****
>
> 196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 .****
>
> 188049 4 drwxrwxrwx 3 root root 4096 2013-07-22 23:24 ..****
>
> 196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24
> 20130722-2324****
>
> 196267 4 drwxrwxrwx 2 www-data www-data 4096 2013-07-22 23:25
> 20130722-2325****
>
> ** **
>
> No more permission denied errors. For sure 777 is not the best solution :)
> .... but i think is possible to do the same concept using 770 permission.*
> ***
>
> ** **
>
> Breno****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> On Wed, Jul 24, 2013 at 2:01 PM, Breno Silva <bre...@gm...>
> wrote:****
>
> Ben,****
>
> ** **
>
> I can try it here. I already installed mod_ruid2. Could you please send me
> your mod_ruid2 config ? Then i can reproduce.****
>
> ** **
>
> Thanks****
>
> ** **
>
> On Wed, Jul 24, 2013 at 1:53 PM, Ben Empson <be...@ar...> wrote:****
>
> Hi Breno, OK thanks for that. FYI I’m on holiday from tomorrow until 12
> August, I don’t think I’ll get time to look at this before that. I will do
> the update to 2.7.5 ASAP on my return.****
>
> ****
>
> Thanks for your help, I’ll also feedback to the mod_ruid2 dev that you
> already use ap_hook_log_transaction().****
>
> ****
>
> *From:* Breno Silva [mailto:bre...@gm...]
> *Sent:* 24 July 2013 18:48****
>
>
> *To:* mod-security-developers
> *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2****
>
> ****
>
> Ben,****
>
> ****
>
> Please download the 2.7.5 candidate tarball:
> https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.5.tar.gz*
> ***
>
> ****
>
> I will send you a code for testing.****
>
> ****
>
> We already use ap_hook_log_transaction for logging phase. ****
>
> ****
>
> Thanks****
>
> ****
>
> Breno****
>
> ****
>
> ** **
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
|