Thread: Re: [Mod-security-developers] Compatibility with mod_ruid2
Brought to you by:
victorhora,
zimmerletw
From: Ben E. <be...@ar...> - 2013-07-20 14:19:27
|
Hi there, is there any chance of getting a response on this? This is a critical issue for all users of mod_ruid2 and ModSecurity... Regards, Ben ============================================================================== = Array[x] = = professional technical outsourcing = = www.arrayx.co.uk<http://www.arrayx.co.uk/> = = be...@ar...<mailto:be...@ar...> = = t UK: +44 (0)20 8144 9102 = = t ES: +34 938 021 278 = = m ES: +34 667 065 397 = = Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain = Array[x] and Profitable Web Projects are trademarks of Profitable Web Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59, Hoja B363676, Company registration number B64798101. This message may contain information that is legally privileged, confidential or exempt from disclosure. If you are not an intended recipient or an employee or agent responsible for delivering this message to an intended recipient, please notify us immediately and permanently destroy this message and any copies you may have. Any dissemination or copying of this message by anyone other than the intended recipient is strictly prohibited. Prices exclude taxes and are valid for one month unless otherwise stated. From: Ben Empson Sent: 10 July 2013 18:09 To: 'mod...@li...' Subject: Compatibility with mod_ruid2 Hi there, I'm running mod_ruid 0.9.7 on Apache 2.2 with ModSecurity 2.7.3 and the GotRoot/Atomicorp delayed ruleset, all on cPanel 11.38. I am unable to get ModSecurity to successfully log it's activities since mod_ruid is causing audit directories and logs to be created with the username of the running process, and more importantly with permissions for that user only, overriding a specific setting in the ModSecurity conf to create audit folders and logs to be created world-writable. I have documented my setup here: https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 I also posted this to the mod_ruid2 forums: https://github.com/mind04/mod-ruid2/issues/1 One of the mod_ruid2 developers has suggested that ModSecurity should be using the special ap_hook_log_transaction() hook which would mean in my configuration that ModSecurity would try to write it's audit logs as nobody, which would not cause permissions issues. I did follow the suggestion of the developer in terms of "Maybe you can work around the problem if you make the log directory group writable for apache and add apache to R_Groups for every user." but this did not fix the problem since new log folders are still created without group write permissions. It seems as though the only possible fix is that ModSecurity uses the ap_hook_log_transaction() hook. It is certain that I'm not the only person suffering this problem: http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&{google:acceptedSuggestion}oq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8<http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&%7bgoogle:acceptedSuggestion%7doq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8> Is there any chance of this getting fixed / changed? Regards, Ben |
From: Breno S. <bre...@gm...> - 2013-07-20 18:45:59
|
Hello Ben, Take a look how your umask is set. Maybe you need to change it to have the permission you want. Thanks Breno On Sat, Jul 20, 2013 at 11:04 AM, Ben Empson <be...@ar...> wrote: > Hi there, is there any chance of getting a response on this? This is a > critical issue for all users of mod_ruid2 and ModSecurity…**** > > ** ** > > Regards, Ben **** > > ** ** > > > ============================================================================== > **** > > ** ** > > = Array[x] =**** > > = professional technical outsourcing =**** > > = www.arrayx.co.uk = = be...@ar... =**** > > = t UK: +44 (0)20 8144 9102 = **** > > = t ES: +34 938 021 278 = **** > > = m ES: +34 667 065 397 =**** > > = Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain =**** > > ** ** > > Array[x] and Profitable Web Projects are trademarks of Profitable Web > Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is > inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59, > Hoja B363676, Company registration number B64798101. This message may > contain information that is legally privileged, confidential or exempt from > disclosure. If you are not an intended recipient or an employee or agent > responsible for delivering this message to an intended recipient, please > notify us immediately and permanently destroy this message and any copies > you may have. Any dissemination or copying of this message by anyone other > than the intended recipient is strictly prohibited. Prices exclude taxes > and are valid for one month unless otherwise stated.**** > > ** ** > > *From:* Ben Empson > *Sent:* 10 July 2013 18:09 > *To:* 'mod...@li...' > *Subject:* Compatibility with mod_ruid2**** > > ** ** > > Hi there, I'm running mod_ruid 0.9.7 on Apache 2.2 with ModSecurity 2.7.3 > and the GotRoot/Atomicorp delayed ruleset, all on cPanel 11.38. I am unable > to get ModSecurity to successfully log it's activities since mod_ruid is > causing audit directories and logs to be created with the username of the > running process, and more importantly with permissions for that user only, > overriding a specific setting in the ModSecurity conf to create audit > folders and logs to be created world-writable.**** > > ** ** > > I have documented my setup here: > https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 > **** > > ** ** > > I also posted this to the mod_ruid2 forums: > https://github.com/mind04/mod-ruid2/issues/1**** > > ** ** > > One of the mod_ruid2 developers has suggested that ModSecurity should be > using the special ap_hook_log_transaction() hook which would mean in my > configuration that ModSecurity would try to write it’s audit logs as > nobody, which would not cause permissions issues.**** > > ** ** > > I did follow the suggestion of the developer in terms of “Maybe you can > work around the problem if you make the log directory group writable for > apache and add apache to R_Groups for every user.” but this did not fix the > problem since new log folders are still created without group write > permissions.**** > > ** ** > > It seems as though the only possible fix is that ModSecurity uses the > ap_hook_log_transaction() hook. It is certain that I’m not the only person > suffering this problem: > http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&{google:acceptedSuggestion}oq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8<http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&%7bgoogle:acceptedSuggestion%7doq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8> > **** > > ** ** > > Is there any chance of this getting fixed / changed?**** > > ** ** > > Regards, Ben**** > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: Ben E. <be...@ar...> - 2013-07-21 13:41:36
|
Hi Breno, thanks for the reply :) Are you referring to these directives: SecAuditLogDirMode 0777 SecAuditLogFileMode 0777 ?? As you can see they're setup for full perms. However mod_ruid2 is overriding these directives. The mod_ruid2 developer says that if ModSecurity used the ap_hook_log_transaction() hook this would not happen since at the time that hook is called mod_ruid2 has returned the process to the nobody user, as such permissions for nobody would not be an issue. The mod_ruid2 developer says that this problem is occurring because ModSecurity is not using the ap_hook_log_transaction() hook to write the audit logs, and hence the audit log is being written as the user account relevant to the website being served. Regards, Ben ============================================================================== = Array[x] = = professional technical outsourcing = = www.arrayx.co.uk<http://www.arrayx.co.uk/> = = be...@ar...<mailto:be...@ar...> = = t UK: +44 (0)20 8144 9102 = = t ES: +34 938 021 278 = = m ES: +34 667 065 397 = = Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain = Array[x] and Profitable Web Projects are trademarks of Profitable Web Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59, Hoja B363676, Company registration number B64798101. This message may contain information that is legally privileged, confidential or exempt from disclosure. If you are not an intended recipient or an employee or agent responsible for delivering this message to an intended recipient, please notify us immediately and permanently destroy this message and any copies you may have. Any dissemination or copying of this message by anyone other than the intended recipient is strictly prohibited. Prices exclude taxes and are valid for one month unless otherwise stated. From: Breno Silva [mailto:bre...@gm...] Sent: 20 July 2013 20:46 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Hello Ben, Take a look how your umask is set. Maybe you need to change it to have the permission you want. Thanks Breno On Sat, Jul 20, 2013 at 11:04 AM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote: Hi there, is there any chance of getting a response on this? This is a critical issue for all users of mod_ruid2 and ModSecurity... Regards, Ben ============================================================================== = Array[x] = = professional technical outsourcing = = www.arrayx.co.uk<http://www.arrayx.co.uk/> = = be...@ar...<mailto:be...@ar...> = = t UK: +44 (0)20 8144 9102<tel:%2B44%20%280%2920%208144%209102> = = t ES: +34 938 021 278<tel:%2B34%20938%20021%20278> = = m ES: +34 667 065 397<tel:%2B34%20667%20065%20397> = = Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain = Array[x] and Profitable Web Projects are trademarks of Profitable Web Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59, Hoja B363676, Company registration number B64798101. This message may contain information that is legally privileged, confidential or exempt from disclosure. If you are not an intended recipient or an employee or agent responsible for delivering this message to an intended recipient, please notify us immediately and permanently destroy this message and any copies you may have. Any dissemination or copying of this message by anyone other than the intended recipient is strictly prohibited. Prices exclude taxes and are valid for one month unless otherwise stated. From: Ben Empson Sent: 10 July 2013 18:09 To: 'mod...@li...<mailto:mod...@li...>' Subject: Compatibility with mod_ruid2 Hi there, I'm running mod_ruid 0.9.7 on Apache 2.2 with ModSecurity 2.7.3 and the GotRoot/Atomicorp delayed ruleset, all on cPanel 11.38. I am unable to get ModSecurity to successfully log it's activities since mod_ruid is causing audit directories and logs to be created with the username of the running process, and more importantly with permissions for that user only, overriding a specific setting in the ModSecurity conf to create audit folders and logs to be created world-writable. I have documented my setup here: https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 I also posted this to the mod_ruid2 forums: https://github.com/mind04/mod-ruid2/issues/1 One of the mod_ruid2 developers has suggested that ModSecurity should be using the special ap_hook_log_transaction() hook which would mean in my configuration that ModSecurity would try to write it's audit logs as nobody, which would not cause permissions issues. I did follow the suggestion of the developer in terms of "Maybe you can work around the problem if you make the log directory group writable for apache and add apache to R_Groups for every user." but this did not fix the problem since new log folders are still created without group write permissions. It seems as though the only possible fix is that ModSecurity uses the ap_hook_log_transaction() hook. It is certain that I'm not the only person suffering this problem: http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&{google:acceptedSuggestion}oq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8<http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&%7bgoogle:acceptedSuggestion%7doq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8> Is there any chance of this getting fixed / changed? Regards, Ben ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
From: Breno S. <bre...@gm...> - 2013-07-21 13:58:54
|
Try as a test set umask 0000 and check the directory/file permissions. Let me know what happens Thanks Breno On Sun, Jul 21, 2013 at 6:25 AM, Ben Empson <be...@ar...> wrote: > Hi Breno, thanks for the reply :)**** > > ** ** > > Are you referring to these directives:**** > > ** ** > > SecAuditLogDirMode 0777 > SecAuditLogFileMode 0777**** > > ** ** > > ?? As you can see they’re setup for full perms. However mod_ruid2 is > overriding these directives. The mod_ruid2 developer says that if > ModSecurity used the ap_hook_log_transaction() hook this would not happen > since at the time that hook is called mod_ruid2 has returned the process to > the nobody user, as such permissions for nobody would not be an issue.**** > > ** ** > > The mod_ruid2 developer says that this problem is occurring because > ModSecurity is not using the ap_hook_log_transaction() hook to write the > audit logs, and hence the audit log is being written as the user account > relevant to the website being served.**** > > ** ** > > Regards, Ben**** > > ** ** > > > ============================================================================== > **** > > ** ** > > = Array[x] =**** > > = professional technical outsourcing =**** > > = www.arrayx.co.uk = = be...@ar... =**** > > = t UK: +44 (0)20 8144 9102 = **** > > = t ES: +34 938 021 278 = **** > > = m ES: +34 667 065 397 =**** > > = Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain =**** > > ** ** > > Array[x] and Profitable Web Projects are trademarks of Profitable Web > Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is > inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59, > Hoja B363676, Company registration number B64798101. This message may > contain information that is legally privileged, confidential or exempt from > disclosure. If you are not an intended recipient or an employee or agent > responsible for delivering this message to an intended recipient, please > notify us immediately and permanently destroy this message and any copies > you may have. Any dissemination or copying of this message by anyone other > than the intended recipient is strictly prohibited. Prices exclude taxes > and are valid for one month unless otherwise stated.**** > > ** ** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 20 July 2013 20:46 > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > ** ** > > Hello Ben,**** > > ** ** > > Take a look how your umask is set. Maybe you need to change it to have the > permission you want.**** > > ** ** > > Thanks**** > > ** ** > > Breno**** > > ** ** > > On Sat, Jul 20, 2013 at 11:04 AM, Ben Empson <be...@ar...> wrote:**** > > Hi there, is there any chance of getting a response on this? This is a > critical issue for all users of mod_ruid2 and ModSecurity…**** > > **** > > Regards, Ben **** > > **** > > > ============================================================================== > **** > > **** > > = Array[x] =**** > > = professional technical outsourcing =**** > > = www.arrayx.co.uk = = be...@ar... =**** > > = t UK: +44 (0)20 8144 9102 = **** > > = t ES: +34 938 021 278 = **** > > = m ES: +34 667 065 397 =**** > > = Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain =**** > > **** > > Array[x] and Profitable Web Projects are trademarks of Profitable Web > Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is > inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59, > Hoja B363676, Company registration number B64798101. This message may > contain information that is legally privileged, confidential or exempt from > disclosure. If you are not an intended recipient or an employee or agent > responsible for delivering this message to an intended recipient, please > notify us immediately and permanently destroy this message and any copies > you may have. Any dissemination or copying of this message by anyone other > than the intended recipient is strictly prohibited. Prices exclude taxes > and are valid for one month unless otherwise stated.**** > > **** > > *From:* Ben Empson > *Sent:* 10 July 2013 18:09 > *To:* 'mod...@li...' > *Subject:* Compatibility with mod_ruid2**** > > **** > > Hi there, I'm running mod_ruid 0.9.7 on Apache 2.2 with ModSecurity 2.7.3 > and the GotRoot/Atomicorp delayed ruleset, all on cPanel 11.38. I am unable > to get ModSecurity to successfully log it's activities since mod_ruid is > causing audit directories and logs to be created with the username of the > running process, and more importantly with permissions for that user only, > overriding a specific setting in the ModSecurity conf to create audit > folders and logs to be created world-writable.**** > > **** > > I have documented my setup here: > https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 > **** > > **** > > I also posted this to the mod_ruid2 forums: > https://github.com/mind04/mod-ruid2/issues/1**** > > **** > > One of the mod_ruid2 developers has suggested that ModSecurity should be > using the special ap_hook_log_transaction() hook which would mean in my > configuration that ModSecurity would try to write it’s audit logs as > nobody, which would not cause permissions issues.**** > > **** > > I did follow the suggestion of the developer in terms of “Maybe you can > work around the problem if you make the log directory group writable for > apache and add apache to R_Groups for every user.” but this did not fix the > problem since new log folders are still created without group write > permissions.**** > > **** > > It seems as though the only possible fix is that ModSecurity uses the > ap_hook_log_transaction() hook. It is certain that I’m not the only person > suffering this problem: > http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&{google:acceptedSuggestion}oq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8<http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&%7bgoogle:acceptedSuggestion%7doq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8> > **** > > **** > > Is there any chance of this getting fixed / changed?**** > > **** > > Regards, Ben**** > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php**** > > ** ** > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: Ben E. <be...@ar...> - 2013-07-22 07:07:39
|
Hi Breno, I tried: SecAuditLogDirMode 0000 SecAuditLogFileMode 0000 But on Apache restart I got the following error: "ModSecurity: Invalid value for SecAuditLogDirMode: 0000". So I reset these 2 values to 0777. Then I went to /var/asl/data and did umask 0000 However I'm still getting errors in the Apache log: "ModSecurity: Audit log: Failed to create file: /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK (Permission denied)" Note that the first website to get an error in each minute creates the audit folder and there are logs for that site. However any subsequent requests for other websites (and therefore users) get the error above since they don't have write permissions, eg: drwxr-xr-x 2 use11 use11 4096 Jul 22 07:55 20130722-0755/ drwxr-xr-x 2 use22 use22 4096 Jul 22 07:56 20130722-0756/ Regards, Ben From: Breno Silva [mailto:bre...@gm...] Sent: 21 July 2013 15:59 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Try as a test set umask 0000 and check the directory/file permissions. Let me know what happens Thanks Breno On Sun, Jul 21, 2013 at 6:25 AM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote: Hi Breno, thanks for the reply :) Are you referring to these directives: SecAuditLogDirMode 0777 SecAuditLogFileMode 0777 ?? As you can see they're setup for full perms. However mod_ruid2 is overriding these directives. The mod_ruid2 developer says that if ModSecurity used the ap_hook_log_transaction() hook this would not happen since at the time that hook is called mod_ruid2 has returned the process to the nobody user, as such permissions for nobody would not be an issue. The mod_ruid2 developer says that this problem is occurring because ModSecurity is not using the ap_hook_log_transaction() hook to write the audit logs, and hence the audit log is being written as the user account relevant to the website being served. Regards, Ben ============================================================================== = Array[x] = = professional technical outsourcing = = www.arrayx.co.uk<http://www.arrayx.co.uk/> = = be...@ar...<mailto:be...@ar...> = = t UK: +44 (0)20 8144 9102<tel:%2B44%20%280%2920%208144%209102> = = t ES: +34 938 021 278<tel:%2B34%20938%20021%20278> = = m ES: +34 667 065 397<tel:%2B34%20667%20065%20397> = = Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain = Array[x] and Profitable Web Projects are trademarks of Profitable Web Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59, Hoja B363676, Company registration number B64798101. This message may contain information that is legally privileged, confidential or exempt from disclosure. If you are not an intended recipient or an employee or agent responsible for delivering this message to an intended recipient, please notify us immediately and permanently destroy this message and any copies you may have. Any dissemination or copying of this message by anyone other than the intended recipient is strictly prohibited. Prices exclude taxes and are valid for one month unless otherwise stated. From: Breno Silva [mailto:bre...@gm...<mailto:bre...@gm...>] Sent: 20 July 2013 20:46 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Hello Ben, Take a look how your umask is set. Maybe you need to change it to have the permission you want. Thanks Breno On Sat, Jul 20, 2013 at 11:04 AM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote: Hi there, is there any chance of getting a response on this? This is a critical issue for all users of mod_ruid2 and ModSecurity... Regards, Ben ============================================================================== = Array[x] = = professional technical outsourcing = = www.arrayx.co.uk<http://www.arrayx.co.uk/> = = be...@ar...<mailto:be...@ar...> = = t UK: +44 (0)20 8144 9102<tel:%2B44%20%280%2920%208144%209102> = = t ES: +34 938 021 278<tel:%2B34%20938%20021%20278> = = m ES: +34 667 065 397<tel:%2B34%20667%20065%20397> = = Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain = Array[x] and Profitable Web Projects are trademarks of Profitable Web Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59, Hoja B363676, Company registration number B64798101. This message may contain information that is legally privileged, confidential or exempt from disclosure. If you are not an intended recipient or an employee or agent responsible for delivering this message to an intended recipient, please notify us immediately and permanently destroy this message and any copies you may have. Any dissemination or copying of this message by anyone other than the intended recipient is strictly prohibited. Prices exclude taxes and are valid for one month unless otherwise stated. From: Ben Empson Sent: 10 July 2013 18:09 To: 'mod...@li...<mailto:mod...@li...>' Subject: Compatibility with mod_ruid2 Hi there, I'm running mod_ruid 0.9.7 on Apache 2.2 with ModSecurity 2.7.3 and the GotRoot/Atomicorp delayed ruleset, all on cPanel 11.38. I am unable to get ModSecurity to successfully log it's activities since mod_ruid is causing audit directories and logs to be created with the username of the running process, and more importantly with permissions for that user only, overriding a specific setting in the ModSecurity conf to create audit folders and logs to be created world-writable. I have documented my setup here: https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 I also posted this to the mod_ruid2 forums: https://github.com/mind04/mod-ruid2/issues/1 One of the mod_ruid2 developers has suggested that ModSecurity should be using the special ap_hook_log_transaction() hook which would mean in my configuration that ModSecurity would try to write it's audit logs as nobody, which would not cause permissions issues. I did follow the suggestion of the developer in terms of "Maybe you can work around the problem if you make the log directory group writable for apache and add apache to R_Groups for every user." but this did not fix the problem since new log folders are still created without group write permissions. It seems as though the only possible fix is that ModSecurity uses the ap_hook_log_transaction() hook. It is certain that I'm not the only person suffering this problem: http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&{google:acceptedSuggestion}oq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8<http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&%7bgoogle:acceptedSuggestion%7doq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8> Is there any chance of this getting fixed / changed? Regards, Ben ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
From: Breno S. <bre...@gm...> - 2013-07-22 12:07:45
|
Ben, You can try to set it into /etc/profile ? It works for me : root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130720/20130720-1140/20130720-114050-UerZscCoAGUAAFcXJFcAAAAe 194655 4 -rwxrwxrwx 1 www-data www-data 3342 2013-07-22 11:40 /var/log/apache2/20130722/20130722-1140/20130722-114050-UerZscCoAGUAAFcXJFcAAAAe On Mon, Jul 22, 2013 at 12:07 AM, Ben Empson <be...@ar...> wrote: > Hi Breno, **** > > ** ** > > I tried:**** > > SecAuditLogDirMode 0000 > SecAuditLogFileMode 0000**** > > But on Apache restart I got the following error: “ModSecurity: Invalid > value for SecAuditLogDirMode: 0000”. So I reset these 2 values to 0777.*** > * > > ** ** > > Then I went to /var/asl/data and did**** > > ** ** > > umask 0000**** > > ** ** > > However I’m still getting errors in the Apache log: “ModSecurity: Audit > log: Failed to create file: > /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK(Permission denied)” > **** > > ** ** > > Note that the first website to get an error in each minute creates the > audit folder and there are logs for that site. However any subsequent > requests for other websites (and therefore users) get the error above since > they don’t have write permissions, eg:**** > > ** ** > > drwxr-xr-x 2 use11 use11 4096 Jul 22 07:55 20130722-0755/**** > > drwxr-xr-x 2 use22 use22 4096 Jul 22 07:56 20130722-0756/**** > > ** ** > > Regards, Ben**** > > ** ** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 21 July 2013 15:59 > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > ** ** > > Try as a test set umask 0000 and check the directory/file permissions. Let > me know what happens**** > > ** ** > > Thanks**** > > ** ** > > Breno**** > > ** ** > > On Sun, Jul 21, 2013 at 6:25 AM, Ben Empson <be...@ar...> wrote:**** > > Hi Breno, thanks for the reply :)**** > > **** > > Are you referring to these directives:**** > > **** > > SecAuditLogDirMode 0777 > SecAuditLogFileMode 0777**** > > **** > > ?? As you can see they’re setup for full perms. However mod_ruid2 is > overriding these directives. The mod_ruid2 developer says that if > ModSecurity used the ap_hook_log_transaction() hook this would not happen > since at the time that hook is called mod_ruid2 has returned the process to > the nobody user, as such permissions for nobody would not be an issue.**** > > **** > > The mod_ruid2 developer says that this problem is occurring because > ModSecurity is not using the ap_hook_log_transaction() hook to write the > audit logs, and hence the audit log is being written as the user account > relevant to the website being served.**** > > **** > > Regards, Ben**** > > **** > > > ============================================================================== > **** > > **** > > = Array[x] =**** > > = professional technical outsourcing =**** > > = www.arrayx.co.uk = = be...@ar... =**** > > = t UK: +44 (0)20 8144 9102 = **** > > = t ES: +34 938 021 278 = **** > > = m ES: +34 667 065 397 =**** > > = Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain =**** > > **** > > Array[x] and Profitable Web Projects are trademarks of Profitable Web > Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is > inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59, > Hoja B363676, Company registration number B64798101. This message may > contain information that is legally privileged, confidential or exempt from > disclosure. If you are not an intended recipient or an employee or agent > responsible for delivering this message to an intended recipient, please > notify us immediately and permanently destroy this message and any copies > you may have. Any dissemination or copying of this message by anyone other > than the intended recipient is strictly prohibited. Prices exclude taxes > and are valid for one month unless otherwise stated.**** > > **** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 20 July 2013 20:46 > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > **** > > Hello Ben,**** > > **** > > Take a look how your umask is set. Maybe you need to change it to have the > permission you want.**** > > **** > > Thanks**** > > **** > > Breno**** > > **** > > On Sat, Jul 20, 2013 at 11:04 AM, Ben Empson <be...@ar...> wrote:**** > > Hi there, is there any chance of getting a response on this? This is a > critical issue for all users of mod_ruid2 and ModSecurity…**** > > **** > > Regards, Ben **** > > **** > > > ============================================================================== > **** > > **** > > = Array[x] =**** > > = professional technical outsourcing =**** > > = www.arrayx.co.uk = = be...@ar... =**** > > = t UK: +44 (0)20 8144 9102 = **** > > = t ES: +34 938 021 278 = **** > > = m ES: +34 667 065 397 =**** > > = Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain =**** > > **** > > Array[x] and Profitable Web Projects are trademarks of Profitable Web > Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is > inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59, > Hoja B363676, Company registration number B64798101. This message may > contain information that is legally privileged, confidential or exempt from > disclosure. If you are not an intended recipient or an employee or agent > responsible for delivering this message to an intended recipient, please > notify us immediately and permanently destroy this message and any copies > you may have. Any dissemination or copying of this message by anyone other > than the intended recipient is strictly prohibited. Prices exclude taxes > and are valid for one month unless otherwise stated.**** > > **** > > *From:* Ben Empson > *Sent:* 10 July 2013 18:09 > *To:* 'mod...@li...' > *Subject:* Compatibility with mod_ruid2**** > > **** > > Hi there, I'm running mod_ruid 0.9.7 on Apache 2.2 with ModSecurity 2.7.3 > and the GotRoot/Atomicorp delayed ruleset, all on cPanel 11.38. I am unable > to get ModSecurity to successfully log it's activities since mod_ruid is > causing audit directories and logs to be created with the username of the > running process, and more importantly with permissions for that user only, > overriding a specific setting in the ModSecurity conf to create audit > folders and logs to be created world-writable.**** > > **** > > I have documented my setup here: > https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 > **** > > **** > > I also posted this to the mod_ruid2 forums: > https://github.com/mind04/mod-ruid2/issues/1**** > > **** > > One of the mod_ruid2 developers has suggested that ModSecurity should be > using the special ap_hook_log_transaction() hook which would mean in my > configuration that ModSecurity would try to write it’s audit logs as > nobody, which would not cause permissions issues.**** > > **** > > I did follow the suggestion of the developer in terms of “Maybe you can > work around the problem if you make the log directory group writable for > apache and add apache to R_Groups for every user.” but this did not fix the > problem since new log folders are still created without group write > permissions.**** > > **** > > It seems as though the only possible fix is that ModSecurity uses the > ap_hook_log_transaction() hook. It is certain that I’m not the only person > suffering this problem: > http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&{google:acceptedSuggestion}oq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8<http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&%7bgoogle:acceptedSuggestion%7doq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8> > **** > > **** > > Is there any chance of this getting fixed / changed?**** > > **** > > Regards, Ben**** > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php**** > > **** > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php**** > > ** ** > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: Ben E. <be...@ar...> - 2013-07-24 15:06:46
|
Hi Breno, sorry but I don't understand what you mean by "You can try to set it into /etc/profile ?" Also, I'm not clear on what you're demonstrating with your example below. Also in my setup logs are created by the first user which tries to log, since that user creates the directory and has permissions on it. However any subsequent users are unable to log to the same directory since they do not have permissions. Regards, Ben From: Breno Silva [mailto:bre...@gm...] Sent: 22 July 2013 14:08 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Ben, You can try to set it into /etc/profile ? It works for me : root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130720/20130720-1140/20130720-114050-UerZscCoAGUAAFcXJFcAAAAe 194655 4 -rwxrwxrwx 1 www-data www-data 3342 2013-07-22 11:40 /var/log/apache2/20130722/20130722-1140/20130722-114050-UerZscCoAGUAAFcXJFcAAAAe On Mon, Jul 22, 2013 at 12:07 AM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote: Hi Breno, I tried: SecAuditLogDirMode 0000 SecAuditLogFileMode 0000 But on Apache restart I got the following error: "ModSecurity: Invalid value for SecAuditLogDirMode: 0000". So I reset these 2 values to 0777. Then I went to /var/asl/data and did umask 0000 However I'm still getting errors in the Apache log: "ModSecurity: Audit log: Failed to create file: /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK (Permission denied)" Note that the first website to get an error in each minute creates the audit folder and there are logs for that site. However any subsequent requests for other websites (and therefore users) get the error above since they don't have write permissions, eg: drwxr-xr-x 2 use11 use11 4096 Jul 22 07:55 20130722-0755/ drwxr-xr-x 2 use22 use22 4096 Jul 22 07:56 20130722-0756/ Regards, Ben |
From: Breno S. <bre...@gm...> - 2013-07-24 16:06:18
|
Hello Ben, I was looking to your debug info : https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 And looks like you tried to change the file/dir permission using SecAuditLogDirMode and SecAuditLogFileMode. However it is still being created as 755 permission. It could be related to your umask So please try to change your umask in your /etc/profile then set above directives as 0777. Start your apache again (make sure your umask has been changed) and let us know what happens with your file/dir permission. Thanks Breno On Wed, Jul 24, 2013 at 12:05 PM, Ben Empson <be...@ar...> wrote: > Hi Breno, sorry but I don’t understand what you mean by “You can try to > set it into /etc/profile ?”**** > > ** ** > > Also, I’m not clear on what you’re demonstrating with your example below. > Also in my setup logs are created by the first user which tries to log, > since that user creates the directory and has permissions on it. However > any subsequent users are unable to log to the same directory since they do > not have permissions.**** > > ** ** > > Regards, Ben**** > > ** ** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 22 July 2013 14:08 > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > ** ** > > Ben,**** > > ** ** > > You can try to set it into /etc/profile ?**** > > It works for me :**** > > ** ** > > root@ubuntu:/home/brenosilva# ls -lisa > /var/log/apache2/20130720/20130720-1140/20130720-114050-UerZscCoAGUAAFcXJFcAAAAe > **** > > 194655 4 -rwxrwxrwx 1 www-data www-data 3342 2013-07-22 11:40 > /var/log/apache2/20130722/20130722-1140/20130722-114050-UerZscCoAGUAAFcXJFcAAAAe > **** > > ** ** > > ** ** > > On Mon, Jul 22, 2013 at 12:07 AM, Ben Empson <be...@ar...> wrote:**** > > Hi Breno, **** > > **** > > I tried:**** > > SecAuditLogDirMode 0000 > SecAuditLogFileMode 0000**** > > But on Apache restart I got the following error: “ModSecurity: Invalid > value for SecAuditLogDirMode: 0000”. So I reset these 2 values to 0777.*** > * > > **** > > Then I went to /var/asl/data and did**** > > **** > > umask 0000**** > > **** > > However I’m still getting errors in the Apache log: “ModSecurity: Audit > log: Failed to create file: > /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK(Permission denied)” > **** > > **** > > Note that the first website to get an error in each minute creates the > audit folder and there are logs for that site. However any subsequent > requests for other websites (and therefore users) get the error above since > they don’t have write permissions, eg:**** > > **** > > drwxr-xr-x 2 use11 use11 4096 Jul 22 07:55 20130722-0755/**** > > drwxr-xr-x 2 use22 use22 4096 Jul 22 07:56 20130722-0756/**** > > **** > > Regards, Ben**** > > ** ** > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: Ben E. <be...@ar...> - 2013-07-24 16:22:53
|
Hi Breno, sorry, this is confusing. You seem to be referring to *my* umask (I'm logging in as root). However, I'm using Apache with mod_ruid2, mod_ruid2 changes the process owner in Apache for each request to the user associated with the website account (in cPanel). As such, Apache is creating the audit log folders using the process request owner, which could be a different user for each request. The permissions are 755 because I believe that mod_ruid2 implements that restriction - it's by design. The mod_ruid2 developer tells me (here: https://github.com/mind04/mod-ruid2/issues/1) that if mod_security were to use the ap_hook_log_transaction() call in order to write the logs, then by this point mod_ruid2 has returned the process owner to "nobody" and therefore none of the current problems would apply, assuming that "nobody" has write permissions to the audit log folders. According to the mod_ruid2 dev, mod_security is using some other mechanism to write the logs, which is at a point in the pipeline where the process still has the specific website account owner assigned, and it is this which is causing the permissions problems. I don't know if I'm barking up the wrong tree here, but this is what the mod_ruid2 developer tells me. Regards, Ben From: Breno Silva [mailto:bre...@gm...] Sent: 24 July 2013 18:06 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Hello Ben, I was looking to your debug info : https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 And looks like you tried to change the file/dir permission using SecAuditLogDirMode and SecAuditLogFileMode. However it is still being created as 755 permission. It could be related to your umask So please try to change your umask in your /etc/profile then set above directives as 0777. Start your apache again (make sure your umask has been changed) and let us know what happens with your file/dir permission. Thanks Breno On Wed, Jul 24, 2013 at 12:05 PM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote: Hi Breno, sorry but I don't understand what you mean by "You can try to set it into /etc/profile ?" Also, I'm not clear on what you're demonstrating with your example below. Also in my setup logs are created by the first user which tries to log, since that user creates the directory and has permissions on it. However any subsequent users are unable to log to the same directory since they do not have permissions. Regards, Ben From: Breno Silva [mailto:bre...@gm...<mailto:bre...@gm...>] Sent: 22 July 2013 14:08 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Ben, You can try to set it into /etc/profile ? It works for me : root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130720/20130720-1140/20130720-114050-UerZscCoAGUAAFcXJFcAAAAe 194655 4 -rwxrwxrwx 1 www-data www-data 3342 2013-07-22 11:40 /var/log/apache2/20130722/20130722-1140/20130722-114050-UerZscCoAGUAAFcXJFcAAAAe On Mon, Jul 22, 2013 at 12:07 AM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote: Hi Breno, I tried: SecAuditLogDirMode 0000 SecAuditLogFileMode 0000 But on Apache restart I got the following error: "ModSecurity: Invalid value for SecAuditLogDirMode: 0000". So I reset these 2 values to 0777. Then I went to /var/asl/data and did umask 0000 However I'm still getting errors in the Apache log: "ModSecurity: Audit log: Failed to create file: /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK (Permission denied)" Note that the first website to get an error in each minute creates the audit folder and there are logs for that site. However any subsequent requests for other websites (and therefore users) get the error above since they don't have write permissions, eg: drwxr-xr-x 2 use11 use11 4096 Jul 22 07:55 20130722-0755/ drwxr-xr-x 2 use22 use22 4096 Jul 22 07:56 20130722-0756/ Regards, Ben ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
From: Breno S. <bre...@gm...> - 2013-07-24 16:47:58
|
Ben, Please download the 2.7.5 candidate tarball: https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.5.tar.gz I will send you a code for testing. We already use ap_hook_log_transaction for logging phase. Thanks Breno On Wed, Jul 24, 2013 at 1:22 PM, Ben Empson <be...@ar...> wrote: > Hi Breno, sorry, this is confusing. You seem to be referring to **my** > umask (I’m logging in as root). However, I’m using Apache with mod_ruid2, > mod_ruid2 changes the process owner in Apache for each request to the user > associated with the website account (in cPanel).**** > > ** ** > > As such, Apache is creating the audit log folders using the process > request owner, which could be a different user for each request. The > permissions are 755 because I believe that mod_ruid2 implements that > restriction – it’s by design.**** > > ** ** > > The mod_ruid2 developer tells me (here: > https://github.com/mind04/mod-ruid2/issues/1) that if mod_security were > to use the ap_hook_log_transaction() call in order to write the logs, then > by this point mod_ruid2 has returned the process owner to “nobody” and > therefore none of the current problems would apply, assuming that “nobody” > has write permissions to the audit log folders.**** > > ** ** > > According to the mod_ruid2 dev, mod_security is using some other mechanism > to write the logs, which is at a point in the pipeline where the process > still has the specific website account owner assigned, and it is this which > is causing the permissions problems.**** > > ** ** > > I don’t know if I’m barking up the wrong tree here, but this is what the > mod_ruid2 developer tells me.**** > > ** ** > > Regards, Ben**** > > ** ** > > ** ** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 24 July 2013 18:06 > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > ** ** > > Hello Ben,**** > > ** ** > > I was looking to your debug info : > https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 > **** > > ** ** > > And looks like you tried to change the file/dir permission using > SecAuditLogDirMode and SecAuditLogFileMode.**** > > However it is still being created as 755 permission. It could be related > to your umask**** > > ** ** > > So please try to change your umask in your /etc/profile then set above > directives as 0777. Start your apache again (make sure your umask has been > changed) and let us know what happens with your file/dir permission.**** > > ** ** > > Thanks**** > > ** ** > > Breno**** > > ** ** > > On Wed, Jul 24, 2013 at 12:05 PM, Ben Empson <be...@ar...> wrote:**** > > Hi Breno, sorry but I don’t understand what you mean by “You can try to > set it into /etc/profile ?”**** > > **** > > Also, I’m not clear on what you’re demonstrating with your example below. > Also in my setup logs are created by the first user which tries to log, > since that user creates the directory and has permissions on it. However > any subsequent users are unable to log to the same directory since they do > not have permissions.**** > > **** > > Regards, Ben**** > > **** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 22 July 2013 14:08**** > > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > **** > > Ben,**** > > **** > > You can try to set it into /etc/profile ?**** > > It works for me :**** > > **** > > root@ubuntu:/home/brenosilva# ls -lisa > /var/log/apache2/20130720/20130720-1140/20130720-114050-UerZscCoAGUAAFcXJFcAAAAe > **** > > 194655 4 -rwxrwxrwx 1 www-data www-data 3342 2013-07-22 11:40 > /var/log/apache2/20130722/20130722-1140/20130722-114050-UerZscCoAGUAAFcXJFcAAAAe > **** > > **** > > **** > > On Mon, Jul 22, 2013 at 12:07 AM, Ben Empson <be...@ar...> wrote:**** > > Hi Breno, **** > > **** > > I tried:**** > > SecAuditLogDirMode 0000 > SecAuditLogFileMode 0000**** > > But on Apache restart I got the following error: “ModSecurity: Invalid > value for SecAuditLogDirMode: 0000”. So I reset these 2 values to 0777.*** > * > > **** > > Then I went to /var/asl/data and did**** > > **** > > umask 0000**** > > **** > > However I’m still getting errors in the Apache log: “ModSecurity: Audit > log: Failed to create file: > /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK(Permission denied)” > **** > > **** > > Note that the first website to get an error in each minute creates the > audit folder and there are logs for that site. However any subsequent > requests for other websites (and therefore users) get the error above since > they don’t have write permissions, eg:**** > > **** > > drwxr-xr-x 2 use11 use11 4096 Jul 22 07:55 20130722-0755/**** > > drwxr-xr-x 2 use22 use22 4096 Jul 22 07:56 20130722-0756/**** > > **** > > Regards, Ben**** > > **** > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php**** > > ** ** > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: Ben E. <be...@ar...> - 2013-07-24 16:53:34
|
Hi Breno, OK thanks for that. FYI I'm on holiday from tomorrow until 12 August, I don't think I'll get time to look at this before that. I will do the update to 2.7.5 ASAP on my return. Thanks for your help, I'll also feedback to the mod_ruid2 dev that you already use ap_hook_log_transaction(). From: Breno Silva [mailto:bre...@gm...] Sent: 24 July 2013 18:48 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Ben, Please download the 2.7.5 candidate tarball: https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.5.tar.gz I will send you a code for testing. We already use ap_hook_log_transaction for logging phase. Thanks Breno On Wed, Jul 24, 2013 at 1:22 PM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote: Hi Breno, sorry, this is confusing. You seem to be referring to *my* umask (I'm logging in as root). However, I'm using Apache with mod_ruid2, mod_ruid2 changes the process owner in Apache for each request to the user associated with the website account (in cPanel). As such, Apache is creating the audit log folders using the process request owner, which could be a different user for each request. The permissions are 755 because I believe that mod_ruid2 implements that restriction - it's by design. The mod_ruid2 developer tells me (here: https://github.com/mind04/mod-ruid2/issues/1) that if mod_security were to use the ap_hook_log_transaction() call in order to write the logs, then by this point mod_ruid2 has returned the process owner to "nobody" and therefore none of the current problems would apply, assuming that "nobody" has write permissions to the audit log folders. According to the mod_ruid2 dev, mod_security is using some other mechanism to write the logs, which is at a point in the pipeline where the process still has the specific website account owner assigned, and it is this which is causing the permissions problems. I don't know if I'm barking up the wrong tree here, but this is what the mod_ruid2 developer tells me. Regards, Ben From: Breno Silva [mailto:bre...@gm...<mailto:bre...@gm...>] Sent: 24 July 2013 18:06 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Hello Ben, I was looking to your debug info : https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 And looks like you tried to change the file/dir permission using SecAuditLogDirMode and SecAuditLogFileMode. However it is still being created as 755 permission. It could be related to your umask So please try to change your umask in your /etc/profile then set above directives as 0777. Start your apache again (make sure your umask has been changed) and let us know what happens with your file/dir permission. Thanks Breno On Wed, Jul 24, 2013 at 12:05 PM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote: Hi Breno, sorry but I don't understand what you mean by "You can try to set it into /etc/profile ?" Also, I'm not clear on what you're demonstrating with your example below. Also in my setup logs are created by the first user which tries to log, since that user creates the directory and has permissions on it. However any subsequent users are unable to log to the same directory since they do not have permissions. Regards, Ben From: Breno Silva [mailto:bre...@gm...<mailto:bre...@gm...>] Sent: 22 July 2013 14:08 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Ben, You can try to set it into /etc/profile ? It works for me : root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130720/20130720-1140/20130720-114050-UerZscCoAGUAAFcXJFcAAAAe 194655 4 -rwxrwxrwx 1 www-data www-data 3342 2013-07-22 11:40 /var/log/apache2/20130722/20130722-1140/20130722-114050-UerZscCoAGUAAFcXJFcAAAAe On Mon, Jul 22, 2013 at 12:07 AM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote: Hi Breno, I tried: SecAuditLogDirMode 0000 SecAuditLogFileMode 0000 But on Apache restart I got the following error: "ModSecurity: Invalid value for SecAuditLogDirMode: 0000". So I reset these 2 values to 0777. Then I went to /var/asl/data and did umask 0000 However I'm still getting errors in the Apache log: "ModSecurity: Audit log: Failed to create file: /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK (Permission denied)" Note that the first website to get an error in each minute creates the audit folder and there are logs for that site. However any subsequent requests for other websites (and therefore users) get the error above since they don't have write permissions, eg: drwxr-xr-x 2 use11 use11 4096 Jul 22 07:55 20130722-0755/ drwxr-xr-x 2 use22 use22 4096 Jul 22 07:56 20130722-0756/ Regards, Ben ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
From: Breno S. <bre...@gm...> - 2013-07-24 17:01:22
|
Ben, I can try it here. I already installed mod_ruid2. Could you please send me your mod_ruid2 config ? Then i can reproduce. Thanks On Wed, Jul 24, 2013 at 1:53 PM, Ben Empson <be...@ar...> wrote: > Hi Breno, OK thanks for that. FYI I’m on holiday from tomorrow until 12 > August, I don’t think I’ll get time to look at this before that. I will do > the update to 2.7.5 ASAP on my return.**** > > ** ** > > Thanks for your help, I’ll also feedback to the mod_ruid2 dev that you > already use ap_hook_log_transaction().**** > > ** ** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 24 July 2013 18:48 > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > ** ** > > Ben,**** > > ** ** > > Please download the 2.7.5 candidate tarball: > https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.5.tar.gz* > *** > > ** ** > > I will send you a code for testing.**** > > ** ** > > We already use ap_hook_log_transaction for logging phase. **** > > ** ** > > Thanks**** > > ** ** > > Breno**** > > ** ** > > On Wed, Jul 24, 2013 at 1:22 PM, Ben Empson <be...@ar...> wrote:**** > > Hi Breno, sorry, this is confusing. You seem to be referring to **my** > umask (I’m logging in as root). However, I’m using Apache with mod_ruid2, > mod_ruid2 changes the process owner in Apache for each request to the user > associated with the website account (in cPanel).**** > > **** > > As such, Apache is creating the audit log folders using the process > request owner, which could be a different user for each request. The > permissions are 755 because I believe that mod_ruid2 implements that > restriction – it’s by design.**** > > **** > > The mod_ruid2 developer tells me (here: > https://github.com/mind04/mod-ruid2/issues/1) that if mod_security were > to use the ap_hook_log_transaction() call in order to write the logs, then > by this point mod_ruid2 has returned the process owner to “nobody” and > therefore none of the current problems would apply, assuming that “nobody” > has write permissions to the audit log folders.**** > > **** > > According to the mod_ruid2 dev, mod_security is using some other mechanism > to write the logs, which is at a point in the pipeline where the process > still has the specific website account owner assigned, and it is this which > is causing the permissions problems.**** > > **** > > I don’t know if I’m barking up the wrong tree here, but this is what the > mod_ruid2 developer tells me.**** > > **** > > Regards, Ben**** > > **** > > **** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 24 July 2013 18:06**** > > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > **** > > Hello Ben,**** > > **** > > I was looking to your debug info : > https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 > **** > > **** > > And looks like you tried to change the file/dir permission using > SecAuditLogDirMode and SecAuditLogFileMode.**** > > However it is still being created as 755 permission. It could be related > to your umask**** > > **** > > So please try to change your umask in your /etc/profile then set above > directives as 0777. Start your apache again (make sure your umask has been > changed) and let us know what happens with your file/dir permission.**** > > **** > > Thanks**** > > **** > > Breno**** > > **** > > On Wed, Jul 24, 2013 at 12:05 PM, Ben Empson <be...@ar...> wrote:**** > > Hi Breno, sorry but I don’t understand what you mean by “You can try to > set it into /etc/profile ?”**** > > **** > > Also, I’m not clear on what you’re demonstrating with your example below. > Also in my setup logs are created by the first user which tries to log, > since that user creates the directory and has permissions on it. However > any subsequent users are unable to log to the same directory since they do > not have permissions.**** > > **** > > Regards, Ben**** > > **** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 22 July 2013 14:08**** > > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > **** > > Ben,**** > > **** > > You can try to set it into /etc/profile ?**** > > It works for me :**** > > **** > > root@ubuntu:/home/brenosilva# ls -lisa > /var/log/apache2/20130720/20130720-1140/20130720-114050-UerZscCoAGUAAFcXJFcAAAAe > **** > > 194655 4 -rwxrwxrwx 1 www-data www-data 3342 2013-07-22 11:40 > /var/log/apache2/20130722/20130722-1140/20130722-114050-UerZscCoAGUAAFcXJFcAAAAe > **** > > **** > > **** > > On Mon, Jul 22, 2013 at 12:07 AM, Ben Empson <be...@ar...> wrote:**** > > Hi Breno, **** > > **** > > I tried:**** > > SecAuditLogDirMode 0000 > SecAuditLogFileMode 0000**** > > But on Apache restart I got the following error: “ModSecurity: Invalid > value for SecAuditLogDirMode: 0000”. So I reset these 2 values to 0777.*** > * > > **** > > Then I went to /var/asl/data and did**** > > **** > > umask 0000**** > > **** > > However I’m still getting errors in the Apache log: “ModSecurity: Audit > log: Failed to create file: > /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK(Permission denied)” > **** > > **** > > Note that the first website to get an error in each minute creates the > audit folder and there are logs for that site. However any subsequent > requests for other websites (and therefore users) get the error above since > they don’t have write permissions, eg:**** > > **** > > drwxr-xr-x 2 use11 use11 4096 Jul 22 07:55 20130722-0755/**** > > drwxr-xr-x 2 use22 use22 4096 Jul 22 07:56 20130722-0756/**** > > **** > > Regards, Ben**** > > **** > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php**** > > **** > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php**** > > ** ** > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: Breno S. <bre...@gm...> - 2013-07-24 18:17:21
|
Hello Ben, This is what i'm trying to do as a test. Let me know if the config is similar is your side: httpd.conf: Rmode config RuidGid www-data www-data Rgroups brenosilva virtual-host.conf: RuidGid brenosilva www-data and RuidGid www-data www-data modsecurity.conf: SecAuditLogDirMode 0777 SecAuditLogFileMode 0777 SecAuditLogStorageDir /var/log/apache2 then i set umask 000 during apache runtime ls -lisa /var/log/apache2/* 196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 . 188049 4 drwxrwxrwx 3 root root 4096 2013-07-22 23:24 .. 196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 20130722-2324 196267 4 drwxrwxrwx 2 www-data www-data 4096 2013-07-22 23:25 20130722-2325 No more permission denied errors. For sure 777 is not the best solution :) .... but i think is possible to do the same concept using 770 permission. Breno On Wed, Jul 24, 2013 at 2:01 PM, Breno Silva <bre...@gm...> wrote: > Ben, > > I can try it here. I already installed mod_ruid2. Could you please send me > your mod_ruid2 config ? Then i can reproduce. > > Thanks > > > On Wed, Jul 24, 2013 at 1:53 PM, Ben Empson <be...@ar...> wrote: > >> Hi Breno, OK thanks for that. FYI I’m on holiday from tomorrow until 12 >> August, I don’t think I’ll get time to look at this before that. I will do >> the update to 2.7.5 ASAP on my return.**** >> >> ** ** >> >> Thanks for your help, I’ll also feedback to the mod_ruid2 dev that you >> already use ap_hook_log_transaction().**** >> >> ** ** >> >> *From:* Breno Silva [mailto:bre...@gm...] >> *Sent:* 24 July 2013 18:48 >> >> *To:* mod-security-developers >> *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** >> >> ** ** >> >> Ben,**** >> >> ** ** >> >> Please download the 2.7.5 candidate tarball: >> https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.5.tar.gz >> **** >> >> ** ** >> >> I will send you a code for testing.**** >> >> ** ** >> >> We already use ap_hook_log_transaction for logging phase. **** >> >> ** ** >> >> Thanks**** >> >> ** ** >> >> Breno**** >> >> ** ** >> >> On Wed, Jul 24, 2013 at 1:22 PM, Ben Empson <be...@ar...> wrote:**** >> >> Hi Breno, sorry, this is confusing. You seem to be referring to **my** >> umask (I’m logging in as root). However, I’m using Apache with mod_ruid2, >> mod_ruid2 changes the process owner in Apache for each request to the user >> associated with the website account (in cPanel).**** >> >> **** >> >> As such, Apache is creating the audit log folders using the process >> request owner, which could be a different user for each request. The >> permissions are 755 because I believe that mod_ruid2 implements that >> restriction – it’s by design.**** >> >> **** >> >> The mod_ruid2 developer tells me (here: >> https://github.com/mind04/mod-ruid2/issues/1) that if mod_security were >> to use the ap_hook_log_transaction() call in order to write the logs, then >> by this point mod_ruid2 has returned the process owner to “nobody” and >> therefore none of the current problems would apply, assuming that “nobody” >> has write permissions to the audit log folders.**** >> >> **** >> >> According to the mod_ruid2 dev, mod_security is using some other >> mechanism to write the logs, which is at a point in the pipeline where the >> process still has the specific website account owner assigned, and it is >> this which is causing the permissions problems.**** >> >> **** >> >> I don’t know if I’m barking up the wrong tree here, but this is what the >> mod_ruid2 developer tells me.**** >> >> **** >> >> Regards, Ben**** >> >> **** >> >> **** >> >> *From:* Breno Silva [mailto:bre...@gm...] >> *Sent:* 24 July 2013 18:06**** >> >> >> *To:* mod-security-developers >> *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** >> >> **** >> >> Hello Ben,**** >> >> **** >> >> I was looking to your debug info : >> https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1 >> **** >> >> **** >> >> And looks like you tried to change the file/dir permission using >> SecAuditLogDirMode and SecAuditLogFileMode.**** >> >> However it is still being created as 755 permission. It could be related >> to your umask**** >> >> **** >> >> So please try to change your umask in your /etc/profile then set above >> directives as 0777. Start your apache again (make sure your umask has been >> changed) and let us know what happens with your file/dir permission.**** >> >> **** >> >> Thanks**** >> >> **** >> >> Breno**** >> >> **** >> >> On Wed, Jul 24, 2013 at 12:05 PM, Ben Empson <be...@ar...> wrote:*** >> * >> >> Hi Breno, sorry but I don’t understand what you mean by “You can try to >> set it into /etc/profile ?”**** >> >> **** >> >> Also, I’m not clear on what you’re demonstrating with your example below. >> Also in my setup logs are created by the first user which tries to log, >> since that user creates the directory and has permissions on it. However >> any subsequent users are unable to log to the same directory since they do >> not have permissions.**** >> >> **** >> >> Regards, Ben**** >> >> **** >> >> *From:* Breno Silva [mailto:bre...@gm...] >> *Sent:* 22 July 2013 14:08**** >> >> >> *To:* mod-security-developers >> *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** >> >> **** >> >> Ben,**** >> >> **** >> >> You can try to set it into /etc/profile ?**** >> >> It works for me :**** >> >> **** >> >> root@ubuntu:/home/brenosilva# ls -lisa >> /var/log/apache2/20130720/20130720-1140/20130720-114050-UerZscCoAGUAAFcXJFcAAAAe >> **** >> >> 194655 4 -rwxrwxrwx 1 www-data www-data 3342 2013-07-22 11:40 >> /var/log/apache2/20130722/20130722-1140/20130722-114050-UerZscCoAGUAAFcXJFcAAAAe >> **** >> >> **** >> >> **** >> >> On Mon, Jul 22, 2013 at 12:07 AM, Ben Empson <be...@ar...> wrote:*** >> * >> >> Hi Breno, **** >> >> **** >> >> I tried:**** >> >> SecAuditLogDirMode 0000 >> SecAuditLogFileMode 0000**** >> >> But on Apache restart I got the following error: “ModSecurity: Invalid >> value for SecAuditLogDirMode: 0000”. So I reset these 2 values to 0777.** >> ** >> >> **** >> >> Then I went to /var/asl/data and did**** >> >> **** >> >> umask 0000**** >> >> **** >> >> However I’m still getting errors in the Apache log: “ModSecurity: Audit >> log: Failed to create file: >> /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK(Permission denied)” >> **** >> >> **** >> >> Note that the first website to get an error in each minute creates the >> audit folder and there are logs for that site. However any subsequent >> requests for other websites (and therefore users) get the error above since >> they don’t have write permissions, eg:**** >> >> **** >> >> drwxr-xr-x 2 use11 use11 4096 Jul 22 07:55 20130722-0755/**** >> >> drwxr-xr-x 2 use22 use22 4096 Jul 22 07:56 20130722-0756/**** >> >> **** >> >> Regards, Ben**** >> >> **** >> >> >> >> ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php**** >> >> **** >> >> >> >> ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php**** >> >> ** ** >> >> >> ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php >> > > |
From: Ben E. <be...@ar...> - 2013-07-25 07:53:56
|
Hi Breno, here's my configs: mod_ruid2.conf: <IfModule mod_ruid2.c> RMode config RDefaultUidGid nobody nobody RUidGid nobody nobody </IfModule> httpd.conf Every virtual host has the following block (obviously with the actual user / group). User and group always have the same name which is the cPanel account name: <IfModule mod_ruid2.c> RMode config RUidGid {user} {group} </IfModule> modsecurity2.user.conf SecPcreMatchLimit 50000 SecPcreMatchLimitRecursion 50000 SecAuditLogType Concurrent SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 20621440 SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecServerSignature Apache SecUploadDir /var/asl/data/suspicious SecUploadKeepFiles Off SecAuditLogParts ABIFHZ SecArgumentSeparator "&" SecCookieFormat 0 SecRequestBodyLimit 20621440 SecRequestBodyInMemoryLimit 2062144 SecDataDir /var/asl/data/msa SecTmpDir /tmp SecAuditLogStorageDir /var/asl/data/audit SecResponseBodyLimitAction ProcessPartial SecAuditLogDirMode 0777 SecAuditLogFileMode 0777 Include /usr/local/apache/conf/modsec_rules/*asl*.conf Include /usr/local/apache/conf/modsec2.whitelist.conf #this file is empty I'm not sure you're testing the same thing as me. You will need to have at least 2 virtual hosts, and you will need to call them in such a way that ModSecurity will generate an audit log in the same minute. It's only under these conditions that the permissions problem arises, otherwise new directories and logs are simply created by a single user and there's no problem. Obviously on a busy server these conditions are easily met. From: Breno Silva [mailto:bre...@gm...] Sent: 24 July 2013 20:17 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Hello Ben, This is what i'm trying to do as a test. Let me know if the config is similar is your side: httpd.conf: Rmode config RuidGid www-data www-data Rgroups brenosilva virtual-host.conf: RuidGid brenosilva www-data and RuidGid www-data www-data modsecurity.conf: SecAuditLogDirMode 0777 SecAuditLogFileMode 0777 SecAuditLogStorageDir /var/log/apache2 then i set umask 000 during apache runtime ls -lisa /var/log/apache2/* 196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 . 188049 4 drwxrwxrwx 3 root root 4096 2013-07-22 23:24 .. 196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 20130722-2324 196267 4 drwxrwxrwx 2 www-data www-data 4096 2013-07-22 23:25 20130722-2325 No more permission denied errors. For sure 777 is not the best solution :) .... but i think is possible to do the same concept using 770 permission. Breno On Wed, Jul 24, 2013 at 2:01 PM, Breno Silva <bre...@gm...<mailto:bre...@gm...>> wrote: Ben, I can try it here. I already installed mod_ruid2. Could you please send me your mod_ruid2 config ? Then i can reproduce. Thanks On Wed, Jul 24, 2013 at 1:53 PM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote: Hi Breno, OK thanks for that. FYI I'm on holiday from tomorrow until 12 August, I don't think I'll get time to look at this before that. I will do the update to 2.7.5 ASAP on my return. Thanks for your help, I'll also feedback to the mod_ruid2 dev that you already use ap_hook_log_transaction(). From: Breno Silva [mailto:bre...@gm...<mailto:bre...@gm...>] Sent: 24 July 2013 18:48 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Ben, Please download the 2.7.5 candidate tarball: https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.5.tar.gz I will send you a code for testing. We already use ap_hook_log_transaction for logging phase. Thanks Breno |
From: Breno S. <bre...@gm...> - 2013-07-25 12:07:03
|
Hello Ben, I think it it working. Now i set two vhosts one for user: brenosilva and one for user : nobody Then i submit two requests: root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/* total 16 196266 4 drwxrwxrwx 2 nobody www-data 4096 2013-07-25 05:02 . 196265 4 drwxrwxrwx 3 nobody www-data 4096 2013-07-25 05:02 .. 142051 4 -rwxrwxrwx 1 nobody www-data 1658 2013-07-25 05:02 20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD 172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/20130725-0502/20130725-0502* 142051 4 -rwxrwxrwx 1 nobody www-data 1658 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD 172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA Audit log files were create for both users. No permission denied errors. Can you tru reproduce at least this test? Breno On Thu, Jul 25, 2013 at 4:53 AM, Ben Empson <be...@ar...> wrote: > Hi Breno, here’s my configs:**** > > ** ** > > mod_ruid2.conf:**** > > <IfModule mod_ruid2.c>**** > > RMode config**** > > RDefaultUidGid nobody nobody**** > > RUidGid nobody nobody**** > > </IfModule>**** > > ** ** > > httpd.conf**** > > Every virtual host has the following block (obviously with the actual user > / group). User and group always have the same name which is the cPanel > account name:**** > > <IfModule mod_ruid2.c>**** > > RMode config**** > > RUidGid {user} {group}**** > > </IfModule>**** > > ** ** > > modsecurity2.user.conf**** > > SecPcreMatchLimit 50000**** > > SecPcreMatchLimitRecursion 50000**** > > SecAuditLogType Concurrent**** > > SecRequestBodyAccess On**** > > SecResponseBodyAccess On**** > > SecResponseBodyMimeType (null) text/html text/plain text/xml**** > > SecResponseBodyLimit 20621440**** > > SecAuditLogRelevantStatus "^(?:5|4(?!04))"**** > > SecServerSignature Apache**** > > SecUploadDir /var/asl/data/suspicious**** > > SecUploadKeepFiles Off**** > > SecAuditLogParts ABIFHZ**** > > SecArgumentSeparator "&" **** > > SecCookieFormat 0**** > > SecRequestBodyLimit 20621440**** > > SecRequestBodyInMemoryLimit 2062144**** > > SecDataDir /var/asl/data/msa**** > > SecTmpDir /tmp**** > > SecAuditLogStorageDir /var/asl/data/audit**** > > SecResponseBodyLimitAction ProcessPartial**** > > ** ** > > SecAuditLogDirMode 0777**** > > SecAuditLogFileMode 0777**** > > ** ** > > Include /usr/local/apache/conf/modsec_rules/*asl*.conf**** > > Include /usr/local/apache/conf/modsec2.whitelist.conf #this file is empty* > *** > > ** ** > > ** ** > > I’m not sure you’re testing the same thing as me. You will need to have at > least 2 virtual hosts, and you will need to call them in such a way that > ModSecurity will generate an audit log in the same minute. It’s only under > these conditions that the permissions problem arises, otherwise new > directories and logs are simply created by a single user and there’s no > problem. Obviously on a busy server these conditions are easily met.**** > > ** ** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 24 July 2013 20:17 > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > ** ** > > Hello Ben,**** > > ** ** > > This is what i'm trying to do as a test. Let me know if the config is > similar is your side:**** > > ** ** > > httpd.conf:**** > > Rmode config**** > > RuidGid www-data www-data**** > > Rgroups brenosilva**** > > ** ** > > virtual-host.conf:**** > > RuidGid brenosilva www-data**** > > and**** > > RuidGid www-data www-data**** > > ** ** > > modsecurity.conf:**** > > SecAuditLogDirMode 0777**** > > SecAuditLogFileMode 0777**** > > SecAuditLogStorageDir /var/log/apache2**** > > ** ** > > then i set umask 000 during apache runtime**** > > ** ** > > ls -lisa /var/log/apache2/***** > > 196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 .**** > > 188049 4 drwxrwxrwx 3 root root 4096 2013-07-22 23:24 ..**** > > 196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 > 20130722-2324**** > > 196267 4 drwxrwxrwx 2 www-data www-data 4096 2013-07-22 23:25 > 20130722-2325**** > > ** ** > > No more permission denied errors. For sure 777 is not the best solution :) > .... but i think is possible to do the same concept using 770 permission.* > *** > > ** ** > > Breno**** > > ** ** > > ** ** > > ** ** > > ** ** > > On Wed, Jul 24, 2013 at 2:01 PM, Breno Silva <bre...@gm...> > wrote:**** > > Ben,**** > > ** ** > > I can try it here. I already installed mod_ruid2. Could you please send me > your mod_ruid2 config ? Then i can reproduce.**** > > ** ** > > Thanks**** > > ** ** > > On Wed, Jul 24, 2013 at 1:53 PM, Ben Empson <be...@ar...> wrote:**** > > Hi Breno, OK thanks for that. FYI I’m on holiday from tomorrow until 12 > August, I don’t think I’ll get time to look at this before that. I will do > the update to 2.7.5 ASAP on my return.**** > > **** > > Thanks for your help, I’ll also feedback to the mod_ruid2 dev that you > already use ap_hook_log_transaction().**** > > **** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 24 July 2013 18:48**** > > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > **** > > Ben,**** > > **** > > Please download the 2.7.5 candidate tarball: > https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.5.tar.gz* > *** > > **** > > I will send you a code for testing.**** > > **** > > We already use ap_hook_log_transaction for logging phase. **** > > **** > > Thanks**** > > **** > > Breno**** > > **** > > ** ** > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
From: Ben E. <be...@ar...> - 2013-07-25 13:49:56
|
Hi Breno, hmm that's strange. Could you try with a user who is not nobody? Are you trying this with the 2.7.5 beta? I think we're still on 2.7.3. I'm not sure if that could be affecting things? I'm definitely not the only one with this problem: see https://www.atomicorp.com/wiki/index.php/Atomicorp_WAF_Rules_Troubleshooting#Failed_to_create_subdirectories According to AtomiCorp it's impossible to do this, they claim it's a bug in mod_ruid2. I have tried this on at least 3 different servers, I've not been able to make it work on any, and I've spent many hours trying. As I mentioned before, since Modsecurity is being packaged up by EasyApache, I don't have documentation on how to upgrade outside of that ecosystem. I see that Modsecurity 2.7.4 is available in EasyApache now but upgrading involves a recompile of the whole of Apache which takes a while and isn't something I can do on production servers at will! Unfortunately (or fortunately, depending on how you see it!), I've got to drop this now to wrap up other work before I go on holiday tomorrow. I'm afraid I'll have to pick this up again after the 15th August. Many thanks for your help up until now, it's much appreciated! When I get back I'm happy to spin up a development server and give you root access so that we can try and narrow this down. Regards, Ben From: Breno Silva [mailto:bre...@gm...] Sent: 25 July 2013 14:07 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Hello Ben, I think it it working. Now i set two vhosts one for user: brenosilva and one for user : nobody Then i submit two requests: root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/* total 16 196266 4 drwxrwxrwx 2 nobody www-data 4096 2013-07-25 05:02 . 196265 4 drwxrwxrwx 3 nobody www-data 4096 2013-07-25 05:02 .. 142051 4 -rwxrwxrwx 1 nobody www-data 1658 2013-07-25 05:02 20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD 172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/20130725-0502/20130725-0502* 142051 4 -rwxrwxrwx 1 nobody www-data 1658 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD 172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA Audit log files were create for both users. No permission denied errors. Can you tru reproduce at least this test? Breno On Thu, Jul 25, 2013 at 4:53 AM, Ben Empson <be...@ar...<mailto:be...@ar...>> wrote: Hi Breno, here's my configs: mod_ruid2.conf: <IfModule mod_ruid2.c> RMode config RDefaultUidGid nobody nobody RUidGid nobody nobody </IfModule> httpd.conf Every virtual host has the following block (obviously with the actual user / group). User and group always have the same name which is the cPanel account name: <IfModule mod_ruid2.c> RMode config RUidGid {user} {group} </IfModule> modsecurity2.user.conf SecPcreMatchLimit 50000 SecPcreMatchLimitRecursion 50000 SecAuditLogType Concurrent SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 20621440 SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecServerSignature Apache SecUploadDir /var/asl/data/suspicious SecUploadKeepFiles Off SecAuditLogParts ABIFHZ SecArgumentSeparator "&" SecCookieFormat 0 SecRequestBodyLimit 20621440 SecRequestBodyInMemoryLimit 2062144 SecDataDir /var/asl/data/msa SecTmpDir /tmp SecAuditLogStorageDir /var/asl/data/audit SecResponseBodyLimitAction ProcessPartial SecAuditLogDirMode 0777 SecAuditLogFileMode 0777 Include /usr/local/apache/conf/modsec_rules/*asl*.conf Include /usr/local/apache/conf/modsec2.whitelist.conf #this file is empty I'm not sure you're testing the same thing as me. You will need to have at least 2 virtual hosts, and you will need to call them in such a way that ModSecurity will generate an audit log in the same minute. It's only under these conditions that the permissions problem arises, otherwise new directories and logs are simply created by a single user and there's no problem. Obviously on a busy server these conditions are easily met. From: Breno Silva [mailto:bre...@gm...<mailto:bre...@gm...>] Sent: 24 July 2013 20:17 To: mod-security-developers Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2 Hello Ben, This is what i'm trying to do as a test. Let me know if the config is similar is your side: httpd.conf: Rmode config RuidGid www-data www-data Rgroups brenosilva virtual-host.conf: RuidGid brenosilva www-data and RuidGid www-data www-data modsecurity.conf: SecAuditLogDirMode 0777 SecAuditLogFileMode 0777 SecAuditLogStorageDir /var/log/apache2 then i set umask 000 during apache runtime ls -lisa /var/log/apache2/* 196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 . 188049 4 drwxrwxrwx 3 root root 4096 2013-07-22 23:24 .. 196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 20130722-2324 196267 4 drwxrwxrwx 2 www-data www-data 4096 2013-07-22 23:25 20130722-2325 No more permission denied errors. For sure 777 is not the best solution :) .... but i think is possible to do the same concept using 770 permission. Breno |
From: Breno S. <bre...@gm...> - 2013-07-25 13:53:58
|
Ok Ben, that would help, If you can setup a devel box that reproduce your env and then give me remote access. I can try do the same thing i did from my side. Thanks Breno On Thu, Jul 25, 2013 at 10:49 AM, Ben Empson <be...@ar...> wrote: > Hi Breno, hmm that’s strange. Could you try with a user who is not > nobody? Are you trying this with the 2.7.5 beta? I think we’re still on > 2.7.3. I’m not sure if that could be affecting things?**** > > ** ** > > I’m definitely not the only one with this problem: see > https://www.atomicorp.com/wiki/index.php/Atomicorp_WAF_Rules_Troubleshooting#Failed_to_create_subdirectories > **** > > According to AtomiCorp it’s impossible to do this, they claim it’s a bug > in mod_ruid2.**** > > ** ** > > I have tried this on at least 3 different servers, I’ve not been able to > make it work on any, and I’ve spent many hours trying. As I mentioned > before, since Modsecurity is being packaged up by EasyApache, I don’t have > documentation on how to upgrade outside of that ecosystem. **** > > ** ** > > I see that Modsecurity 2.7.4 is available in EasyApache now but upgrading > involves a recompile of the whole of Apache which takes a while and isn’t > something I can do on production servers at will!**** > > ** ** > > Unfortunately (or fortunately, depending on how you see it!), I’ve got to > drop this now to wrap up other work before I go on holiday tomorrow. I’m > afraid I’ll have to pick this up again after the 15th August. Many thanks > for your help up until now, it’s much appreciated! When I get back I’m > happy to spin up a development server and give you root access so that we > can try and narrow this down. **** > > ** ** > > Regards, Ben**** > > ** ** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 25 July 2013 14:07 > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > ** ** > > Hello Ben,**** > > ** ** > > I think it it working. Now i set two vhosts one for user: brenosilva and > one for user : nobody**** > > Then i submit two requests:**** > > ** ** > > root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/***** > > total 16**** > > 196266 4 drwxrwxrwx 2 nobody www-data 4096 2013-07-25 05:02 .**** > > 196265 4 drwxrwxrwx 3 nobody www-data 4096 2013-07-25 05:02 ..**** > > 142051 4 -rwxrwxrwx 1 nobody www-data 1658 2013-07-25 05:02 > 20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD**** > > 172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 > 20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA**** > > ** ** > > root@ubuntu:/home/brenosilva# ls -lisa > /var/log/apache2/20130725/20130725-0502/20130725-0502***** > > 142051 4 -rwxrwxrwx 1 nobody www-data 1658 2013-07-25 05:02 > /var/log/apache2/20130725/20130725-0502/20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD > **** > > 172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 > /var/log/apache2/20130725/20130725-0502/20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA > **** > > ** ** > > Audit log files were create for both users. No permission denied errors. > Can you tru reproduce at least this test?**** > > ** ** > > Breno**** > > ** ** > > On Thu, Jul 25, 2013 at 4:53 AM, Ben Empson <be...@ar...> wrote:**** > > Hi Breno, here’s my configs:**** > > **** > > mod_ruid2.conf:**** > > <IfModule mod_ruid2.c>**** > > RMode config**** > > RDefaultUidGid nobody nobody**** > > RUidGid nobody nobody**** > > </IfModule>**** > > **** > > httpd.conf**** > > Every virtual host has the following block (obviously with the actual user > / group). User and group always have the same name which is the cPanel > account name:**** > > <IfModule mod_ruid2.c>**** > > RMode config**** > > RUidGid {user} {group}**** > > </IfModule>**** > > **** > > modsecurity2.user.conf**** > > SecPcreMatchLimit 50000**** > > SecPcreMatchLimitRecursion 50000**** > > SecAuditLogType Concurrent**** > > SecRequestBodyAccess On**** > > SecResponseBodyAccess On**** > > SecResponseBodyMimeType (null) text/html text/plain text/xml**** > > SecResponseBodyLimit 20621440**** > > SecAuditLogRelevantStatus "^(?:5|4(?!04))"**** > > SecServerSignature Apache**** > > SecUploadDir /var/asl/data/suspicious**** > > SecUploadKeepFiles Off**** > > SecAuditLogParts ABIFHZ**** > > SecArgumentSeparator "&" **** > > SecCookieFormat 0**** > > SecRequestBodyLimit 20621440**** > > SecRequestBodyInMemoryLimit 2062144**** > > SecDataDir /var/asl/data/msa**** > > SecTmpDir /tmp**** > > SecAuditLogStorageDir /var/asl/data/audit**** > > SecResponseBodyLimitAction ProcessPartial**** > > **** > > SecAuditLogDirMode 0777**** > > SecAuditLogFileMode 0777**** > > **** > > Include /usr/local/apache/conf/modsec_rules/*asl*.conf**** > > Include /usr/local/apache/conf/modsec2.whitelist.conf #this file is empty* > *** > > **** > > **** > > I’m not sure you’re testing the same thing as me. You will need to have at > least 2 virtual hosts, and you will need to call them in such a way that > ModSecurity will generate an audit log in the same minute. It’s only under > these conditions that the permissions problem arises, otherwise new > directories and logs are simply created by a single user and there’s no > problem. Obviously on a busy server these conditions are easily met.**** > > **** > > *From:* Breno Silva [mailto:bre...@gm...] > *Sent:* 24 July 2013 20:17**** > > > *To:* mod-security-developers > *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2**** > > **** > > Hello Ben,**** > > **** > > This is what i'm trying to do as a test. Let me know if the config is > similar is your side:**** > > **** > > httpd.conf:**** > > Rmode config**** > > RuidGid www-data www-data**** > > Rgroups brenosilva**** > > **** > > virtual-host.conf:**** > > RuidGid brenosilva www-data**** > > and**** > > RuidGid www-data www-data**** > > **** > > modsecurity.conf:**** > > SecAuditLogDirMode 0777**** > > SecAuditLogFileMode 0777**** > > SecAuditLogStorageDir /var/log/apache2**** > > **** > > then i set umask 000 during apache runtime**** > > **** > > ls -lisa /var/log/apache2/***** > > 196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 .**** > > 188049 4 drwxrwxrwx 3 root root 4096 2013-07-22 23:24 ..**** > > 196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 > 20130722-2324**** > > 196267 4 drwxrwxrwx 2 www-data www-data 4096 2013-07-22 23:25 > 20130722-2325**** > > **** > > No more permission denied errors. For sure 777 is not the best solution :) > .... but i think is possible to do the same concept using 770 permission.* > *** > > **** > > Breno**** > > ** ** > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |