|
From: Felipe C. <FC...@tr...> - 2014-08-16 03:56:35
|
Hi Derek, Make sure you have the file that you want to access inside the chroot directory and your application is looking in the correct path. More information about SecChrootDir is available here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecChrootDir Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Derek Werthmuller <the...@gm...<mailto:the...@gm...>> Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Date: Friday, August 15, 2014 6:03 PM To: "mod-security-d." <mod...@li...<mailto:mod...@li...>> Subject: [Mod-security-developers] phpcurl not working inside a apache SecChrootDir mod_security environment I use mod_security to add a layer of security for my web servers. All servers are configured with at least SecChrootDir, production edge servers make use of the OWASP rule sets. We are developing new applications with Google api for php and running into problems with this library running under our development servers that only make use of the SecChrootDir function of mod_security. Even have SecRuleEngine Off to see if that makes a difference. The particular part of the Google api library that we can't get to work when mod_security SecChrootDir is enabled is the certificate verification process. During this process the php process needs to open a certificate file that is located outside the webroot. We get a vague access denied and or file not found error for the cert file. The permissions are set of the cert file (a public cert chain file) so that any user on the system can read and execute the file. The function php is using the curl to access the file. We have verified the SElinux is not restricting access to the file, php safe_mode, or PHP open_basedir. Two solutions could be to: I suspect that I could put the public cert file in a web accessible location but then I'd need to modify the google api code, Or link from a webroot location to the true location but prefer not to enable links for the webserver The version of Mod security is mod_security-2.7.3-3 apache 2.2 Any thoughts advice? Configuration changes? Thanks Derek ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
