Re: [mod-security-users] SecChrootDir & Apache Debug Mode
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] SecChrootDir & Apache Debug Mode
|
From: Ivan R. <iv...@we...> - 2005-07-11 12:22:30
|
Dan wrote: > > I have a Apache 2.0.54 compiled with mod_security 1.8.7 and I'm using > SecChrootDir. I'm trying to figure out why my PHP exec() call is > failing by using strace. That's probably because you have no /bin/sh in the jail. PHP requires it. In general, the internal chroot mechanism is unlikely to be good enough if you have a need to execute external binaries. In such cases you are much better off creating a proper jail. > To run strace I'm starting Apache in debug > mode (-X) like below: > > strace /usr/local/apache2/bin/httpd -X > > However, SecChrootDir seems to have a problem when I start Apache in > debug mode. I get the following error in the log. > > [emerg] mod_security: chroot requested but not completed! Exiting. > > This makes it slightly difficult to check my PHP script's exec() with > strace while in jail. Is this a known problem? Is there any work > arounds or alternative methods to get the debugging information I'm after? You are right, strace breaks the way the internal chroot mechanism works. However, that is only true in 1.8.x. I have been planning to make some changes to the internal chroot mechanism in 1.9 and, prompted by your email, I made them today. As a side effect of these changes strace will work with 1.9.x. Try this (for testing only, *not* for production systems): http://cvs.sourceforge.net/viewcvs.py/*checkout*/mod-security/mod_security/apache2/mod_security.c -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
