Re: [mod-security-users] mod-security, SecChroot & suexec

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Jinn Koriech wrote:
> Hi all,
> 
> Trying to get Apache2 running with mod-security-1.8.7 and suexec in a 
> chroot jail on Debian Sarge.  From the changelog it appears this should 
> be possible.  Other than that I haven't managed to find any notes on how 
> to achieve this on google.  Hopefully modsecurity is the place to ask 
> this question?

   Yes, it is.

   It is challenging to use the mod_security chroot facility to
   a create a jail that will be used as a "birth place" for new
   processes. Depending on the CGI script you may find that you
   need to copy certain shared libraries into the jail. Once
   you start doing that the "mod_security chroot magic" starts
   to wear off.

> I have tested this testenv script from TWiki in 3 scenarios.  I am 
> trying to keep my general configs reasonably simple for now until I get 
> it working.
> 
> 1. Apache2 with suexec.  No chroot.  Everything works fine.
> 
> 2. Apache2 with SecChrootDir.  No suexec.  Works fine, but the script 
> doesn't appear to see the UID it is running as.
> 
> 3. Apache2 with SecChrootDir plus suexec.  The requires generates a 500 
> error and the only logs apparent are:

   I think you are experiencing these problems because the user and
   group files (/etc/passwd and /etc/group) are not available from
   within the jail. Try copying them into the jail. (After you copy
   them you can strip away most of the user information, leave only
   information suexec needs.)

   BTW, a detailed, step-by-step chrooting guide is available at
   the address below, should you need it:

   http://www.apachesecurity.net/download/apachesecurity-ch02.pdf

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org