Re: [mod-security-users] chroot with modsecurity 2.7.4 on ubuntu
Brought to you by:
victorhora,
zimmerletw
From: Walter H. <mo...@sp...> - 2014-03-16 15:09:35
|
Many challenges that come with a chroot setup are described on the mod_chroot page: http://core.segfault.pl/~hobbit/mod_chroot/caveats.html It’s a good idea to create symlinks for pid files, so the service commands will correctly work outside the chroot. Graceful reloads don’t seem trivially possible, so I’d just do a hard restart instead (service apache2 restart works normally). Other scripts and people can generally be hacked to work with this. For instance, you might want to edit /etc/logrotate.d/apache2, and create your own apachectl shell script in the PATH which replaces a ‘reload’ or ‘graceful’ action with ‘restart’. There is some trial-and-error involved in creating a good chroot that can run all web applications. To prevent a maintenance headache I would recommend using a tool like Puppet or Chef to automatically set up chroot environments. > Im trying to enable a chroot with modsecurity 2.7.4 but I running into the problem that sometimes apache2 looks for config files inside the jail and sometime outside. > > First I couldnt stop apache2 "sudo service apache2 stop" because it couldnt find the apache2.pid file. I solved this be creating a symbolic link from the location outside the jail where scripts expected the file to the location inside the jail where the file was actually created. > > sudo ln -s /var/jail/var/run/apache2 /var/run/apache2 > > Next problem is that I cant reload apache2 gracefully. When I "sudo service apache2 reload" then apache2 fails to find its apache2.conf file. I tried solving it by linking from inside the jail to the config outside but apache2 thinks there are loops in my symbolic links this way and since apache2.conf includes lots of other files it doesnt seem viable. > > Is there any way I can enable modsecurity without moving files from the original ubuntu packages? I cant mess up the packages because of constraints in our support agreement and because our hosting company patch software regularly using the official packages. -- Walter Hop | wa...@li... | PGP key: https://lifeforms.nl/pgp |