Thread: [mod-security-users] Chroot and worker MPM?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I'm getting a weird error when configuring chroot using SecChrootDir and
using the worker MPM.  Hoping someone else has ran across this before
and has some ideas.

Versions are as follows: Red Hat Enterprise Linux v4, Apache 2.0.54,
ModSecurity 1.8.7=20
(Note, Apache was configured with all modules as static, including
ModSecurity)

Relevant configuration bits from /etc/httpd/conf/httpd.conf:

<IfModule worker.c>
ServerLimit          1
ThreadLimit        300
StartServers         0
MaxClients         256
MinSpareThreads      1
MaxSpareThreads    256
ThreadsPerChild    256
MaxRequestsPerChild  0
</IfModule>

# Mod_Security Directives
<IfModule mod_security.c>
        SecChrootDir /var/www
        SecChrootLock /var/lock/modsecurity-chroot.lock
</IfModule>

When I start the server, I get the following in
/var/log/httpd/error_log:
[Thu Jul 07 17:07:08 2005] [info] Init: Initializing OpenSSL library
[Thu Jul 07 17:07:08 2005] [info] Init: Seeding PRNG with 0 bytes of
entropy
[Thu Jul 07 17:07:08 2005] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[Thu Jul 07 17:07:08 2005] [info] Init: Generating temporary DH
parameters (512/1024 bits)
[Thu Jul 07 17:07:08 2005] [warn] Init: Session Cache is not configured
[hint: SSLSessionCache]
[Thu Jul 07 17:07:08 2005] [info] Init: Initializing (virtual) servers
for SSL
[Thu Jul 07 17:07:08 2005] [info] Server: Apache/2.0.54, Interface:
mod_ssl/2.0.54, Library: OpenSSL/0.9.7a
[Thu Jul 07 17:07:08 2005] [notice] mod_security: chroot checkpoint #1
(pid=3D3424 ppid=3D3423)
[Thu Jul 07 17:07:08 2005] [info] Init: Initializing OpenSSL library
[Thu Jul 07 17:07:08 2005] [info] Init: Seeding PRNG with 0 bytes of
entropy
[Thu Jul 07 17:07:08 2005] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[Thu Jul 07 17:07:09 2005] [info] Init: Generating temporary DH
parameters (512/1024 bits)
[Thu Jul 07 17:07:09 2005] [info] Init: Initializing (virtual) servers
for SSL
[Thu Jul 07 17:07:09 2005] [info] Server: Apache/2.0.54, Interface:
mod_ssl/2.0.54, Library: OpenSSL/0.9.7a
[Thu Jul 07 17:07:09 2005] [notice] mod_security: chroot checkpoint #2
(pid=3D3425 ppid=3D1)
[Thu Jul 07 17:07:09 2005] [notice] mod_security: chroot successful,
path=3D/var/www
[Thu Jul 07 17:07:09 2005] [notice] Apache/2.0.54 configured -- resuming
normal operations
[Thu Jul 07 17:07:09 2005] [info] Server built: Jul  7 2005 01:21:09
[Thu Jul 07 17:07:09 2005] [debug] worker.c(1681): AcceptMutex: sysvsem
(default: sysvsem)
libgcc_s.so.1 must be installed for pthread_cancel to work
[Thu Jul 07 17:07:11 2005] [notice] child pid 3428 exit signal Aborted
(6)

A ps -ef shows that the child server process is not running:
[root@wyrmfire conf]# ps -ef | grep http
root      3425     1  7 17:07 ?        00:00:00 /usr/sbin/httpd
root      4725  2588  0 17:07 pts/0    00:00:00 grep http

Requests to the system (i.e. http://wyrmfire.esri.com/) also fail at
this point.

Commenting out the SecChrootDir directive or switching to the prefork
MPM both work fine.  So the trouble seems specific to running the worker
MPM with the SecChrootDir directive.  I tried copying the missing
libgcc_s.so.1 library (not the symbolic link :-) to inside my chroot
(i.e. /var/www/lib) but no dice.  It looks like Apache is trying to
spawn the child after the chroot instead of before--odd that the prefork
MPM does not show the same behavior.

Seems from my reading that there should a performance benefit from using
the worker MPM, so I'd appreciate any ideas on how to fix this.

Thanks,
Jeff Tharp
System Administrator
ESRI - Redlands, CA
http://www.esri.com