Re: [Mod-security-developers] Compatibility with mod_ruid2

[Ben E. <be...@ar...>]

Hi Breno, hmm that's strange. Could you try with a user who is not nobody? Are you trying this with the 2.7.5 beta? I think we're still on 2.7.3. I'm not sure if that could be affecting things?

I'm definitely not the only one with this problem: see https://www.atomicorp.com/wiki/index.php/Atomicorp_WAF_Rules_Troubleshooting#Failed_to_create_subdirectories
According to AtomiCorp it's impossible to do this, they claim it's a bug in mod_ruid2.

I have tried this on at least 3 different servers, I've not been able to make it work on any, and I've spent many hours trying. As I mentioned before, since Modsecurity is being packaged up by EasyApache, I don't have documentation on how to upgrade outside of that ecosystem.

I see that Modsecurity 2.7.4 is available in EasyApache now but upgrading involves a recompile of the whole of Apache which takes a while and isn't something I can do on production servers at will!

Unfortunately (or fortunately, depending on how you see it!), I've got to drop this now to wrap up other work before I go on holiday tomorrow. I'm afraid I'll have to pick this up again after the 15th August. Many thanks for your help up until now, it's much appreciated! When I get back I'm happy to spin up a development server and give you root access so that we can try and narrow this down.

Regards, Ben

From: Breno Silva [mailto:bre...@gm...]
Sent: 25 July 2013 14:07
To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

Hello Ben,

I think it it working. Now i set two vhosts one for user: brenosilva and one for user : nobody
Then i submit two requests:

root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/*
total 16
196266 4 drwxrwxrwx 2 nobody     www-data 4096 2013-07-25 05:02 .
196265 4 drwxrwxrwx 3 nobody     www-data 4096 2013-07-25 05:02 ..
142051 4 -rwxrwxrwx 1 nobody     www-data 1658 2013-07-25 05:02 20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD
172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA

root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/20130725-0502/20130725-0502*
142051 4 -rwxrwxrwx 1 nobody     www-data 1658 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD
172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA

Audit log files were create for both users. No permission denied errors. Can you tru reproduce at least this test?

Breno

On Thu, Jul 25, 2013 at 4:53 AM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote:
Hi Breno, here's my configs:

mod_ruid2.conf:
<IfModule mod_ruid2.c>
    RMode config
    RDefaultUidGid nobody nobody
    RUidGid nobody nobody
</IfModule>

httpd.conf
Every virtual host has the following block (obviously with the actual user / group). User and group always have the same name which is the cPanel account name:
<IfModule mod_ruid2.c>
        RMode config
        RUidGid {user} {group}
</IfModule>

modsecurity2.user.conf
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
SecAuditLogType Concurrent
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 20621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyLimit 20621440
SecRequestBodyInMemoryLimit 2062144
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

SecAuditLogDirMode 0777
SecAuditLogFileMode 0777

Include /usr/local/apache/conf/modsec_rules/*asl*.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf #this file is empty


I'm not sure you're testing the same thing as me. You will need to have at least 2 virtual hosts, and you will need to call them in such a way that ModSecurity will generate an audit log in the same minute. It's only under these conditions that the permissions problem arises, otherwise new directories and logs are simply created by a single user and there's no problem. Obviously on a busy server these conditions are easily met.

From: Breno Silva [mailto:bre...@gm...<mailto:bre...@gm...>]
Sent: 24 July 2013 20:17

To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

Hello Ben,

This is what i'm trying to do as a test. Let me know if the config is similar is your side:

httpd.conf:
Rmode config
RuidGid www-data www-data
Rgroups brenosilva

virtual-host.conf:
RuidGid brenosilva www-data
and
RuidGid www-data www-data

modsecurity.conf:
SecAuditLogDirMode 0777
SecAuditLogFileMode 0777
SecAuditLogStorageDir /var/log/apache2

then i set umask 000 during apache runtime

ls -lisa /var/log/apache2/*
196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 .
188049 4 drwxrwxrwx 3 root       root     4096 2013-07-22 23:24 ..
196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 20130722-2324
196267 4 drwxrwxrwx 2 www-data   www-data 4096 2013-07-22 23:25 20130722-2325

No more permission denied errors. For sure 777 is not the best solution :) .... but i think is possible to do the same concept using 770 permission.

Breno