Thread: [mod-security-users] mod_security v1.8.4 Chroot problem
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Gareth L. <li...@th...> - 2004-10-12 09:22:11
|
I am trying to get mod_security chroot support working on my server, but I
am getting the following error.
[Tue Oct 12 11:30:14 2004] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Tue Oct 12 11:30:14 2004] [notice] LDAP: SSL support unavailable
[Tue Oct 12 11:30:14 2004] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Tue Oct 12 11:30:14 2004] [notice] mod_security: chroot checkpoint #1
(pid=2290 ppid=2289)
[Tue Oct 12 11:30:15 2004] [notice] Digest: generating secret for digest
authentication ...
[Tue Oct 12 11:30:15 2004] [notice] Digest: done
[Tue Oct 12 11:30:15 2004] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Tue Oct 12 11:30:15 2004] [notice] LDAP: SSL support unavailable
[Tue Oct 12 11:30:16 2004] [notice] mod_python: Creating 32 session mutexes
based on 150 max processes and 0 max threads.
[Tue Oct 12 11:30:16 2004] [notice] mod_security: chroot checkpoint #2
(pid=2291 ppid=1)
[Tue Oct 12 11:30:16 2004] [notice] mod_security: chroot successful,
path=/chroot/apache
[Tue Oct 12 11:30:16 2004] [error] (2)No such file or directory: could not
create /etc/httpd/run/httpd.pid
[Tue Oct 12 11:30:16 2004] [error] httpd: could not log pid to file
/etc/httpd/run/httpd.pid
The System is:- Fedora Core 2 (Full patched)
Apache 2
FrontPage Extensions
SquirrelMail
mod_security v1.8.4
I have configured mod_security as follows:-
Added SecChrootDir /chroot/apache to mod_security.conf
Created the following directory structure: /chroot/apache
/chroot/etc/httpd
/chroot/var/log/httpd
/chroot/var/run
I have created two symbolic links in /chroot/etc/httpd to
/chroot/var/log/httpd and /chroot/var/run
Unfortunately I seem to be going around in circles trying to sort this
problem, so your help would be most appreciated.
Many thanks.
Gareth Ledger
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.775 / Virus Database: 522 - Release Date: 08/10/2004
|
|
From: Ivan R. <iv...@we...> - 2004-10-12 09:30:46
|
Gareth Ledger wrote: > I am trying to get mod_security chroot support working on my server, but I > am getting the following error. > > ... > > [Tue Oct 12 11:30:16 2004] [notice] mod_security: chroot checkpoint #2 > (pid=2291 ppid=1) > [Tue Oct 12 11:30:16 2004] [notice] mod_security: chroot successful, > path=/chroot/apache > [Tue Oct 12 11:30:16 2004] [error] (2)No such file or directory: could not > create /etc/httpd/run/httpd.pid > [Tue Oct 12 11:30:16 2004] [error] httpd: could not log pid to file > /etc/httpd/run/httpd.pid Looking at this I'd say the /chroot/apache/etc/httpd/run folder does not exist. > The System is:- Fedora Core 2 (Full patched) > Apache 2 > FrontPage Extensions > SquirrelMail > mod_security v1.8.4 > > I have configured mod_security as follows:- > > Added SecChrootDir /chroot/apache to mod_security.conf > > Created the following directory structure: /chroot/apache > /chroot/etc/httpd > /chroot/var/log/httpd > /chroot/var/run > > I have created two symbolic links in /chroot/etc/httpd to > /chroot/var/log/httpd and /chroot/var/run Maybe you created them with "ln -s /chroot/apache/var/run" ? That won't work from inside the jail since it's using the path that is only correct outside the jail. Try: cd /chroot/apache/etc/httpd (rm existing run dir first ;) ln -s ../../var/run -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Dan B. <gm...@sm...> - 2005-05-16 23:29:23
|
I've got mod_security 1.8.4 with just the chroot function, httpd 1.3.31, and frontpage 2002. It works fine without chroot. I haven't tested with suexec yet. With chroot enabled, I'm having troubles with the suidkey. With mod_frontpage being loaded *before* mod_security, and with /bin/ps and /usr/bin/sum and /proc inside the chroot, frontpage properly creates its suidkey.$PID inside the chroot. fpcounter.exe appears to function, but with the counter reset to 1, never incrementing. There are no errors in error_log either of the main server or of the vhost in question. It's as is mod_frontpage believes that it's working, and yet it's apparently not with fpcounter.exe. The administrative web GUI works. fpcounter.exe and the administrative web GUI are the only items I've tested it with. Please see my strace output at http://smuckola.org/etc/httpd_strace.text Do you have any clues or suggestions? |
|
From: Ivan R. <iv...@we...> - 2005-05-23 10:49:21
|
Dan Bethe wrote: > I've got mod_security 1.8.4 with just the chroot function, httpd 1.3.31, and > frontpage 2002. It works fine without chroot. I haven't tested with suexec > yet. With chroot enabled, I'm having troubles with the suidkey. > > With mod_frontpage being loaded *before* mod_security, and with /bin/ps and > /usr/bin/sum and /proc inside the chroot, frontpage properly creates its > suidkey.$PID inside the chroot. fpcounter.exe appears to function, but with the > counter reset to 1, never incrementing. There are no errors in error_log either > of the main server or of the vhost in question. It's as is mod_frontpage > believes that it's working, and yet it's apparently not with fpcounter.exe. The > administrative web GUI works. fpcounter.exe and the administrative web GUI are > the only items I've tested it with. > > Please see my strace output at http://smuckola.org/etc/httpd_strace.text > > Do you have any clues or suggestions? Could this be the problem? [pid 25606] open("/home/dtm/public_html//_private/menu.html.cnt", O_RDWR) = -1 EACCES (Permission denied) It is clear the FrontPage module does not check whether the descriptor is valid or not: [pid 25606] lseek(-1, 0, SEEK_SET) = -1 EBADF (Bad file descriptor) [pid 25606] write(-1, "FPCountFile ", 12) = -1 EBADF (Bad file descriptor) [pid 25606] write(-1, "00000000001", 11) = -1 EBADF (Bad file descriptor) [pid 25606] close(-1) = -1 EBADF (Bad file descriptor) -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
Thanks for helping keep SourceForge clean.
X