Re: [mod-security-users] mod-security, SecChroot & suexec

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Ivan,

Thanks for your response.

I have tried copying the /etc/passwd, /etc/group and /etc/shadow files 
into the jail with no luck - still the same error.

Thanks for the link to the upcoming O'rielly Apache security book.  I am 
considering this approach as a last resort, however I would ideally like 
to achieve the chroot without having to put all of Apache2 into the jail.

The only point I still don't understand is why the perl script doesn't 
receive the user_id when it's in the jail without suexec.  This leads me 
to believe that it may have something to do with why suexec doesn't like 
the CGI executing either.

Any ideas?

Jinn

Ivan Ristic wrote:
> Jinn Koriech wrote:
> 
>> Hi all,
>>
>> Trying to get Apache2 running with mod-security-1.8.7 and suexec in a 
>> chroot jail on Debian Sarge.  From the changelog it appears this 
>> should be possible.  Other than that I haven't managed to find any 
>> notes on how to achieve this on google.  Hopefully modsecurity is the 
>> place to ask this question?
> 
> 
>   Yes, it is.
> 
>   It is challenging to use the mod_security chroot facility to
>   a create a jail that will be used as a "birth place" for new
>   processes. Depending on the CGI script you may find that you
>   need to copy certain shared libraries into the jail. Once
>   you start doing that the "mod_security chroot magic" starts
>   to wear off.
> 
> 
>> I have tested this testenv script from TWiki in 3 scenarios.  I am 
>> trying to keep my general configs reasonably simple for now until I 
>> get it working.
>>
>> 1. Apache2 with suexec.  No chroot.  Everything works fine.
>>
>> 2. Apache2 with SecChrootDir.  No suexec.  Works fine, but the script 
>> doesn't appear to see the UID it is running as.
>>
>> 3. Apache2 with SecChrootDir plus suexec.  The requires generates a 
>> 500 error and the only logs apparent are:
> 
> 
>   I think you are experiencing these problems because the user and
>   group files (/etc/passwd and /etc/group) are not available from
>   within the jail. Try copying them into the jail. (After you copy
>   them you can strip away most of the user information, leave only
>   information suexec needs.)
> 
>   BTW, a detailed, step-by-step chrooting guide is available at
>   the address below, should you need it:
> 
>   http://www.apachesecurity.net/download/apachesecurity-ch02.pdf
> 