Thread: [mod-security-users] When will we see 1.8?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Mark <ad...@as...> - 2004-04-07 23:22:49
|
When will mod_security 1.8 be released? The idea that 1.7.6 may miss chroot
at times, as you explained on your site, worries me some.
Thanks,
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
|
|
From: Ivan R. <iv...@we...> - 2004-04-07 23:31:02
|
Mark wrote: > When will mod_security 1.8 be released? The idea that 1.7.6 may miss chroot > at times, as you explained on your site, worries me some. I should have all planned work completed in a week. I will release 1.8dev2 then. I will encourage people to use 1.8dev2 to test it out, and release 1.8 2-4 weeks after 1.8dev2. The 1.8dev2 will be of a good quality, though. It has been in the works for a long time and it wasn't rushed. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Mark <ad...@as...> - 2004-04-08 14:13:31
|
Ivan Ristic wrote:
> Mark wrote:
>> When will mod_security 1.8 be released? The idea that 1.7.6 may miss
>> chroot at times, as you explained on your site, worries me some.
>
> I should have all planned work completed in a week. I will release
> 1.8dev2 then. I will encourage people to use 1.8dev2 to test
> it out, and release 1.8 2-4 weeks after 1.8dev2.
Thanks.
Can you tell me, though, what are the conditions the parent process ID != 1?
The children, of course, have the PPID of the 'mother' Apache process; but
the parent itself always seems to have PPID 1. Are you referring to Apache
being started from within a new shell, or something?
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
|
|
From: Ivan R. <iv...@we...> - 2004-04-08 14:22:57
|
> Can you tell me, though, what are the conditions the parent process ID != 1? > The children, of course, have the PPID of the 'mother' Apache process; but > the parent itself always seems to have PPID 1. Are you referring to Apache > being started from within a new shell, or something? I haven't been able to pin-point that. My guess is that is a problem with timing since the ppid of the main process must, eventually, become 1. In the end I switched to a new, reliable, approach. BTW, I've also added a check to v1.8. If chroot fails for any reasons, Apache will refuse to serve requests. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Mark <ad...@as...> - 2004-04-26 01:37:17
|
Ivan Ristic wrote:
>> Can you tell me, though, what are the conditions the parent process
>> ID != 1? The children, of course, have the PPID of the 'mother'
>> Apache process; but the parent itself always seems to have PPID 1.
>> Are you referring to Apache being started from within a new shell,
>> or something?
>
> I haven't been able to pin-point that. My guess is that is a
> problem with timing since the ppid of the main process must,
> eventually, become 1. In the end I switched to a new, reliable,
> approach.
The chroot issue is really why I am looking forward to 1.8. I cannot deploy
mod_security in a production environment yet, until that is resolved.
> BTW, I've also added a check to v1.8. If chroot fails for any
> reasons, Apache will refuse to serve requests.
I have a request, though. Can you make it so, that, instead of not serving
requests, Apache will exit? (with a log message, of course). I have several
cron scripts that monitor if any of the major daemons went down, and restart
them. Apache not serving requests, though, is not a condition I can easily,
and reliably, alert myself to (like a down daemon).
Besides, I believe it is quite fair for mod_security to treat not being able
to chroot as a critical, abortable, error, like Apache missing a log-file
(after which Apache exists too). Starting up "normally", but simply not
serving any requests, is the worst, really.
Thanks,
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
|
|
From: Ivan R. <iv...@we...> - 2004-04-26 07:34:25
|
>> BTW, I've also added a check to v1.8. If chroot fails for any >> reasons, Apache will refuse to serve requests. > > I have a request, though. Can you make it so, that, instead of not serving > requests, Apache will exit? (with a log message, of course). Actually, that's what it does at the moment. But there is a catch. Since at that time the configuration phase is over, it is only one child that exits. I cannot affect other Apache processes. > Besides, I believe it is quite fair for mod_security to treat not being able > to chroot as a critical, abortable, error, like Apache missing a log-file > (after which Apache exists too). I agree but it can't be done any other way. That's the drawback of not patching the source code and working from a module. Bye, Ivan |
|
From: Mark <ad...@as...> - 2004-04-26 09:21:14
|
Ivan Ristic wrote:
>>> BTW, I've also added a check to v1.8. If chroot fails for any
>>> reasons, Apache will refuse to serve requests.
>>
>> I have a request, though. Can you make it so, that, instead of not
>> serving requests, Apache will exit? (with a log message, of course).
>
> Actually, that's what it does at the moment. But there is a catch.
> Since at that time the configuration phase is over, it is only
> one child that exits. I cannot affect other Apache processes.
I hadn't thought of that. No bid deal, though: "MinSpareServers" should
take care of respawning a new child.
>> Besides, I believe it is quite fair for mod_security to treat not
>> being able to chroot as a critical, abortable, error, like Apache
>> missing a log-file (after which Apache exists too).
>
> I agree but it can't be done any other way. That's the drawback
> of not patching the source code and working from a module.
Thanks for your hard work anyway. I am quite happy with the mod approach as
it is. :) I just grabbed 1.8dev2, and will try it out.
Cheers!
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
|
|
From: Ivan R. <iv...@we...> - 2004-04-26 10:34:42
|
>>>> BTW, I've also added a check to v1.8. If chroot fails for any >>>> reasons, Apache will refuse to serve requests. >>> >>>I have a request, though. Can you make it so, that, instead of not >>>serving requests, Apache will exit? (with a log message, of course). >> >> Actually, that's what it does at the moment. But there is a catch. >> Since at that time the configuration phase is over, it is only >> one child that exits. I cannot affect other Apache processes. > > > I hadn't thought of that. No bid deal, though: "MinSpareServers" should > take care of respawning a new child. Sure, but mod_security will kill every child Apache spawns. I've added a delay to prevent too many processes to get created and killed at the same time, but the whole thing will prevent Apache from serving any requests. Bye, Ivan |
|
From: Mark <ad...@as...> - 2004-04-26 10:46:57
|
Ivan Ristic wrote:
>>>>> BTW, I've also added a check to v1.8. If chroot fails for any
>>>>> reasons, Apache will refuse to serve requests.
>>>>
>>>> I have a request, though. Can you make it so, that, instead of not
>>>> serving requests, Apache will exit? (with a log message, of
>>>> course).
>>>
>>> Actually, that's what it does at the moment. But there is a catch.
>>> Since at that time the configuration phase is over, it is only
>>> one child that exits. I cannot affect other Apache processes.
>>
>> I hadn't thought of that. No big deal, though: "MinSpareServers"
>> should take care of respawning a new child.
>
> Sure, but mod_security will kill every child Apache spawns. I've
> added a delay to prevent too many processes to get created and
> killed at the same time, but the whole thing will prevent Apache
> from serving any requests.
Hmm, in that case, why can mod_security not simply kill the "mother" Apache
process itself? (the child, running as "nobody", or "www", can obviously not
kill the parent, who runs as root; but mod_security could kill its own
Apache process, right?). Or am I missing something again?
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
|
|
From: Ivan R. <iv...@we...> - 2004-04-26 10:51:07
|
>> Sure, but mod_security will kill every child Apache spawns. I've >> added a delay to prevent too many processes to get created and >> killed at the same time, but the whole thing will prevent Apache >> from serving any requests. > > Hmm, in that case, why can mod_security not simply kill the "mother" Apache > process itself? (the child, running as "nobody", or "www", can obviously not > kill the parent, who runs as root; but mod_security could kill its own > Apache process, right?). Or am I missing something again? It does just that (exits its own process). But it is the parent process running as root that spawns new children. I've put this mechanism in place just in case. Apache not running is a bug. Chroot not working is a but *and* a security issue. Anyway, if I got it right this time it will never have to manifest itself. Bye, Ivan |
|
From: Mark <ad...@as...> - 2004-04-29 06:02:56
|
Ivan Ristic wrote:
>>> Sure, but mod_security will kill every child Apache spawns. I've
>>> added a delay to prevent too many processes to get created and
>>> killed at the same time, but the whole thing will prevent Apache
>>> from serving any requests.
>>
>> Hmm, in that case, why can mod_security not simply kill the "mother"
>> Apache process itself? (the child, running as "nobody", or "www",
>> can obviously not kill the parent, who runs as root; but
>> mod_security could kill its own Apache process, right?). Or am I
>> missing something again?
>
> It does just that (exits its own process). But it is the parent
> process running as root that spawns new children.
For now, due to a time limit, I have decided to install 1.7.6 on the
production server, after all. But I wrote a small startup-script that
examines the log, after starting up Apache, to see whether mod_security did
the chroot. If not, it kills the pid in /var/run/httpd.pid, and restarts the
process (in a limited loop). Not pretty, I know; but at least this way I am
sure the chroot succeeded.
> Anyway, if I got it right this time it will never have to
> manifest itself.
True. This issue is largely academic. And I have *never* seen it gone wrong
on 1.7.6 either, btw.
Cheers,
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
|
|
From: Mark <ad...@as...> - 2004-04-24 21:20:23
|
Ivan Ristic wrote:
> Mark wrote:
>> When will mod_security 1.8 be released? The idea that 1.7.6 may miss
>> chroot at times, as you explained on your site, worries me some.
>
> I should have all planned work completed in a week. I will release
> 1.8dev2 then. I will encourage people to use 1.8dev2 to test
> it out, and release 1.8 2-4 weeks after 1.8dev2.
>
> The 1.8dev2 will be of a good quality, though. It has been in the
> works for a long time and it wasn't rushed.
Not to rush you either, but how is 1.8 coming along? I am preparing a brand
new production server; and, if at all possible, I'd like to include 1.8 on
there. With April drawing to a close and all, I thought I inquire once more.
:)
Thanks,
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
|
|
From: Ivan R. <iv...@we...> - 2004-04-24 22:55:16
|
> Not to rush you either, but how is 1.8 coming along? I am preparing a brand > new production server; and, if at all possible, I'd like to include 1.8 on > there. With April drawing to a close and all, I thought I inquire once more. :) Since you are that curious, I finished the code over the last weekend but decided not to release it then because there were too many changes made. I plan to do some more work tomorrow, test the new code, update the documentation, and then release 1.8dev2. So you may have it tomorrow. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
Thanks for helping keep SourceForge clean.
X