Re: [Mod-security-developers] Compatibility with mod_ruid2
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Compatibility with mod_ruid2
|
From: Breno S. <bre...@gm...> - 2013-07-25 13:53:58
|
Ok Ben, that would help, If you can setup a devel box that reproduce your env and then give me remote access. I can try do the same thing i did from my side. Thanks Breno On Thu, Jul 25, 2013 at 10:49 AM, Ben Empson <be...@ar...> wrote: > Hi Breno, hmm that’s strange. Could you try with a user who is not > nobody? Are you trying this with the 2.7.5 beta? I think we’re still on > 2.7.3. I’m not sure if that could be affecting things?**** > > ** ** > > I’m definitely not the only one with this problem: see > https://www.atomicorp.com/wiki/index.php/Atomicorp_WAF_Rules_Troubleshooting#Failed_to_create_subdirectories > **** > > According to AtomiCorp it’s impossible to do this, they claim it’s a bug > in mod_ruid2.**** > > ** ** > > I have tried this on at least 3 different servers, I’ve not been able to > make it work on any, and I’ve spent many hours trying. As I mentioned > before, since Modsecurity is being packaged up by EasyApache, I don’t have > documentation on how to upgrade outside of that ecosystem. **** > > ** ** > > I see that Modsecurity 2.7.4 is available in EasyApache now but upgrading > involves a recompile of the whole of Apache which takes a while and isn’t > something I can do on production servers at will!**** > > ** ** > > Unfortunately (or fortunately, depending on how you see it!), I’ve got to > drop this now to wrap up other work before I go on holiday tomorrow. I’m > afraid I’ll have to pick this up again after the 15th August. Many thanks > for your help up until now, it’s much appreciated! When I get back I’m > happy to spin up a development server and give you root access so that we > can try and narrow this down. **** > > ** ** > > Regards, Ben**** > > ** ** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 25 July 2013 14:07 > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > ** ** > > Hello Ben,**** > > ** ** > > I think it it working. Now i set two vhosts one for user: brenosilva and > one for user : nobody**** > > Then i submit two requests:**** > > ** ** > > root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/***** > > total 16**** > > 196266 4 drwxrwxrwx 2 nobody www-data 4096 2013-07-25 05:02 .**** > > 196265 4 drwxrwxrwx 3 nobody www-data 4096 2013-07-25 05:02 ..**** > > 142051 4 -rwxrwxrwx 1 nobody www-data 1658 2013-07-25 05:02 > 20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD**** > > 172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 > 20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA**** > > ** ** > > root@ubuntu:/home/brenosilva# ls -lisa > /var/log/apache2/20130725/20130725-0502/20130725-0502***** > > 142051 4 -rwxrwxrwx 1 nobody www-data 1658 2013-07-25 05:02 > /var/log/apache2/20130725/20130725-0502/20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD > **** > > 172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 > /var/log/apache2/20130725/20130725-0502/20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA > **** > > ** ** > > Audit log files were create for both users. No permission denied errors. > Can you tru reproduce at least this test?**** > > ** ** > > Breno**** > > ** ** > > On Thu, Jul 25, 2013 at 4:53 AM, Ben Empson <be...@ar...> wrote:**** > > Hi Breno, here’s my configs:**** > > **** > > mod_ruid2.conf:**** > > <IfModule mod_ruid2.c>**** > > RMode config**** > > RDefaultUidGid nobody nobody**** > > RUidGid nobody nobody**** > > </IfModule>**** > > **** > > httpd.conf**** > > Every virtual host has the following block (obviously with the actual user > / group). User and group always have the same name which is the cPanel > account name:**** > > <IfModule mod_ruid2.c>**** > > RMode config**** > > RUidGid {user} {group}**** > > </IfModule>**** > > **** > > modsecurity2.user.conf**** > > SecPcreMatchLimit 50000**** > > SecPcreMatchLimitRecursion 50000**** > > SecAuditLogType Concurrent**** > > SecRequestBodyAccess On**** > > SecResponseBodyAccess On**** > > SecResponseBodyMimeType (null) text/html text/plain text/xml**** > > SecResponseBodyLimit 20621440**** > > SecAuditLogRelevantStatus "^(?:5|4(?!04))"**** > > SecServerSignature Apache**** > > SecUploadDir /var/asl/data/suspicious**** > > SecUploadKeepFiles Off**** > > SecAuditLogParts ABIFHZ**** > > SecArgumentSeparator "&" **** > > SecCookieFormat 0**** > > SecRequestBodyLimit 20621440**** > > SecRequestBodyInMemoryLimit 2062144**** > > SecDataDir /var/asl/data/msa**** > > SecTmpDir /tmp**** > > SecAuditLogStorageDir /var/asl/data/audit**** > > SecResponseBodyLimitAction ProcessPartial**** > > **** > > SecAuditLogDirMode 0777**** > > SecAuditLogFileMode 0777**** > > **** > > Include /usr/local/apache/conf/modsec_rules/*asl*.conf**** > > Include /usr/local/apache/conf/modsec2.whitelist.conf #this file is empty* > *** > > **** > > **** > > I’m not sure you’re testing the same thing as me. You will need to have at > least 2 virtual hosts, and you will need to call them in such a way that > ModSecurity will generate an audit log in the same minute. It’s only under > these conditions that the permissions problem arises, otherwise new > directories and logs are simply created by a single user and there’s no > problem. Obviously on a busy server these conditions are easily met.**** > > **** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 24 July 2013 20:17**** > > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > **** > > Hello Ben,**** > > **** > > This is what i'm trying to do as a test. Let me know if the config is > similar is your side:**** > > **** > > httpd.conf:**** > > Rmode config**** > > RuidGid www-data www-data**** > > Rgroups brenosilva**** > > **** > > virtual-host.conf:**** > > RuidGid brenosilva www-data**** > > and**** > > RuidGid www-data www-data**** > > **** > > modsecurity.conf:**** > > SecAuditLogDirMode 0777**** > > SecAuditLogFileMode 0777**** > > SecAuditLogStorageDir /var/log/apache2**** > > **** > > then i set umask 000 during apache runtime**** > > **** > > ls -lisa /var/log/apache2/***** > > 196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 .**** > > 188049 4 drwxrwxrwx 3 root root 4096 2013-07-22 23:24 ..**** > > 196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 > 20130722-2324**** > > 196267 4 drwxrwxrwx 2 www-data www-data 4096 2013-07-22 23:25 > 20130722-2325**** > > **** > > No more permission denied errors. For sure 777 is not the best solution :) > .... but i think is possible to do the same concept using 770 permission.* > *** > > **** > > Breno**** > > ** ** > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
