mod-security-users

[mod-security-users] mod-security, SecChroot & suexec

[Jinn K. <mod...@ma...>]

Hi all,

Trying to get Apache2 running with mod-security-1.8.7 and suexec in a 
chroot jail on Debian Sarge.  From the changelog it appears this should 
be possible.  Other than that I haven't managed to find any notes on how 
to achieve this on google.  Hopefully modsecurity is the place to ask 
this question?  suexec doesn't have any config options other than 
setting the user/group - and the compile time options don't appear to be 
causing any problems.

I have tested this testenv script from TWiki in 3 scenarios.  I am 
trying to keep my general configs reasonably simple for now until I get 
it working.

1. Apache2 with suexec.  No chroot.  Everything works fine.

2. Apache2 with SecChrootDir.  No suexec.  Works fine, but the script 
doesn't appear to see the UID it is running as.

3. Apache2 with SecChrootDir plus suexec.  The requires generates a 500 
error and the only logs apparent are:


*** /etc/apache2/logs/suexec.log ***
[2005-10-16 19:47:05]: crit: invalid uid: (33)

*** vhost_log ***
[Sun Oct 16 19:47:05 2005] [error] [client w.x.y.z] Premature end of 
script headers: testenv


The UID 33 is www-data on Debian Sarge - this is the user Apache2 is 
running as.  The script being requested has a UID & GID over 1000.

I am unable to run 'strace apache2 -X' - apache2 bombs out before it can 
receive any requests.


Thanks for reading.
Jinn

Re: [mod-security-users] mod-security, SecChroot & suexec

[Ivan R. <iv...@we...>]

Jinn Koriech wrote:
> Hi all,
> 
> Trying to get Apache2 running with mod-security-1.8.7 and suexec in a 
> chroot jail on Debian Sarge.  From the changelog it appears this should 
> be possible.  Other than that I haven't managed to find any notes on how 
> to achieve this on google.  Hopefully modsecurity is the place to ask 
> this question?

   Yes, it is.

   It is challenging to use the mod_security chroot facility to
   a create a jail that will be used as a "birth place" for new
   processes. Depending on the CGI script you may find that you
   need to copy certain shared libraries into the jail. Once
   you start doing that the "mod_security chroot magic" starts
   to wear off.


> I have tested this testenv script from TWiki in 3 scenarios.  I am 
> trying to keep my general configs reasonably simple for now until I get 
> it working.
> 
> 1. Apache2 with suexec.  No chroot.  Everything works fine.
> 
> 2. Apache2 with SecChrootDir.  No suexec.  Works fine, but the script 
> doesn't appear to see the UID it is running as.
> 
> 3. Apache2 with SecChrootDir plus suexec.  The requires generates a 500 
> error and the only logs apparent are:

   I think you are experiencing these problems because the user and
   group files (/etc/passwd and /etc/group) are not available from
   within the jail. Try copying them into the jail. (After you copy
   them you can strip away most of the user information, leave only
   information suexec needs.)

   BTW, a detailed, step-by-step chrooting guide is available at
   the address below, should you need it:

   http://www.apachesecurity.net/download/apachesecurity-ch02.pdf

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] mod-security, SecChroot & suexec

[Jinn K. <mod...@ma...>]

Hi Ivan,

Thanks for your response.

I have tried copying the /etc/passwd, /etc/group and /etc/shadow files 
into the jail with no luck - still the same error.

Thanks for the link to the upcoming O'rielly Apache security book.  I am 
considering this approach as a last resort, however I would ideally like 
to achieve the chroot without having to put all of Apache2 into the jail.

The only point I still don't understand is why the perl script doesn't 
receive the user_id when it's in the jail without suexec.  This leads me 
to believe that it may have something to do with why suexec doesn't like 
the CGI executing either.

Any ideas?

Jinn



Ivan Ristic wrote:
> Jinn Koriech wrote:
> 
>> Hi all,
>>
>> Trying to get Apache2 running with mod-security-1.8.7 and suexec in a 
>> chroot jail on Debian Sarge.  From the changelog it appears this 
>> should be possible.  Other than that I haven't managed to find any 
>> notes on how to achieve this on google.  Hopefully modsecurity is the 
>> place to ask this question?
> 
> 
>   Yes, it is.
> 
>   It is challenging to use the mod_security chroot facility to
>   a create a jail that will be used as a "birth place" for new
>   processes. Depending on the CGI script you may find that you
>   need to copy certain shared libraries into the jail. Once
>   you start doing that the "mod_security chroot magic" starts
>   to wear off.
> 
> 
>> I have tested this testenv script from TWiki in 3 scenarios.  I am 
>> trying to keep my general configs reasonably simple for now until I 
>> get it working.
>>
>> 1. Apache2 with suexec.  No chroot.  Everything works fine.
>>
>> 2. Apache2 with SecChrootDir.  No suexec.  Works fine, but the script 
>> doesn't appear to see the UID it is running as.
>>
>> 3. Apache2 with SecChrootDir plus suexec.  The requires generates a 
>> 500 error and the only logs apparent are:
> 
> 
>   I think you are experiencing these problems because the user and
>   group files (/etc/passwd and /etc/group) are not available from
>   within the jail. Try copying them into the jail. (After you copy
>   them you can strip away most of the user information, leave only
>   information suexec needs.)
> 
>   BTW, a detailed, step-by-step chrooting guide is available at
>   the address below, should you need it:
> 
>   http://www.apachesecurity.net/download/apachesecurity-ch02.pdf
> 

Re: [mod-security-users] mod-security, SecChroot & suexec

[Ivan R. <iv...@we...>]

Jinn Koriech wrote:
> Hi Ivan,
> 
> Thanks for your response.
> 
> I have tried copying the /etc/passwd, /etc/group and /etc/shadow files 
> into the jail with no luck - still the same error.

   Have a look at page 46 of Apache Security (ch2): you may need
   /etc/nsswitch.conf and /lib/libnss_files.so too.


> Thanks for the link to the upcoming O'rielly Apache security book.

   It's been published in March this year :)


> I am 
> considering this approach as a last resort, however I would ideally like 
> to achieve the chroot without having to put all of Apache2 into the jail.

   Considering you want to start new processes - that may not be possible.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] mod-security, SecChroot & suexec

[Jinn K. <mod...@ma...>]

No luck, I even tried all the other libs on p46 (PDF p33).  These included:

"/usr/lib/apache2/suexec2", "/lib/libnss_files.so*", "/bin/ls", 
"/etc/nsswitch.conf", "/etc/passwd", "/etc/group", "/etc/shadow", 
"/lib/libnss_dns*", "/etc/hosts", "/etc/resolv.conf", "/etc/localtime"

plus:

packages=["perl", "perl-base", "perl-modules", "rcs", "imagemagick", 
"libnss-db"]


Same error appears:

[Mon Oct 17 23:40:45 2005] [error] [client w.x.y.z] Premature end of 
script headers: test

*** suexec.log ***[2005-10-17 23:40:45]: crit: invalid uid: (33)

Any other ideas?

Jinn




Ivan Ristic wrote:
> Jinn Koriech wrote:
> 
>> Hi Ivan,
>>
>> Thanks for your response.
>>
>> I have tried copying the /etc/passwd, /etc/group and /etc/shadow files 
>> into the jail with no luck - still the same error.
> 
> 
>   Have a look at page 46 of Apache Security (ch2): you may need
>   /etc/nsswitch.conf and /lib/libnss_files.so too.
> 
> 
>> Thanks for the link to the upcoming O'rielly Apache security book.
> 
> 
>   It's been published in March this year :)
> 
> 
>> I am considering this approach as a last resort, however I would 
>> ideally like to achieve the chroot without having to put all of 
>> Apache2 into the jail.
> 
> 
>   Considering you want to start new processes - that may not be possible.
> 

Re: [mod-security-users] mod-security, SecChroot & suexec

[Ivan R. <iv...@we...>]

Jinn Koriech wrote:
> No luck, I even tried all the other libs on p46 (PDF p33).  These included:
> 
> "/usr/lib/apache2/suexec2", "/lib/libnss_files.so*", "/bin/ls", 
> "/etc/nsswitch.conf", "/etc/passwd", "/etc/group", "/etc/shadow", 
> "/lib/libnss_dns*", "/etc/hosts", "/etc/resolv.conf", "/etc/localtime"
> 
> plus:
> 
> packages=["perl", "perl-base", "perl-modules", "rcs", "imagemagick", 
> "libnss-db"]
> 
> 
> Same error appears:
> 
> [Mon Oct 17 23:40:45 2005] [error] [client w.x.y.z] Premature end of 
> script headers: test
> 
> *** suexec.log ***[2005-10-17 23:40:45]: crit: invalid uid: (33)
> 
> Any other ideas?

   No. You should try to get strace to work, and then you would be
   able to see what is that suexec is attempting (and failing)
   to access.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] mod-security, SecChroot & suexec

[Jinn K. <mod...@ma...>]

I read somewhere from google that strace doesn't work because of the 
mod-security chroot setup.  Would it be any use to provide the end of 
the strace output for others to review and see why it may not be 
working?  It's only when I add the SecChrootDir that strace apache bombs 
out when it's strace'd.

I understand if you don't want to go that far.

Thanks for your help so far.

Jinn



Ivan Ristic wrote:
> Jinn Koriech wrote:
> 
>> No luck, I even tried all the other libs on p46 (PDF p33).  These 
>> included:
>>
>> "/usr/lib/apache2/suexec2", "/lib/libnss_files.so*", "/bin/ls", 
>> "/etc/nsswitch.conf", "/etc/passwd", "/etc/group", "/etc/shadow", 
>> "/lib/libnss_dns*", "/etc/hosts", "/etc/resolv.conf", "/etc/localtime"
>>
>> plus:
>>
>> packages=["perl", "perl-base", "perl-modules", "rcs", "imagemagick", 
>> "libnss-db"]
>>
>>
>> Same error appears:
>>
>> [Mon Oct 17 23:40:45 2005] [error] [client w.x.y.z] Premature end of 
>> script headers: test
>>
>> *** suexec.log ***[2005-10-17 23:40:45]: crit: invalid uid: (33)
>>
>> Any other ideas?
> 
> 
>   No. You should try to get strace to work, and then you would be
>   able to see what is that suexec is attempting (and failing)
>   to access.
> 

Re: [mod-security-users] mod-security, SecChroot & suexec

[Ivan R. <iv...@we...>]

Jinn Koriech wrote:
> I read somewhere from google that strace doesn't work because of the 
> mod-security chroot setup.

   Hmm, that sounds familiar, like something I may have said. I had
   a moment to try something quickly:

   Take modsec 1.9RC1, change this line (it's at the end):

   ap_hook_post_config(sec_init, NULL, NULL, APR_HOOK_REALLY_LAST);

   to

   ap_hook_post_config(sec_init, NULL, NULL, APR_HOOK_REALLY_FIRST);

   and try again. Apache does not segfault after this change is
   made and strace is used. Unfortunately, I didn't have enough
   time to test what are the other consequences of this action
   (but I've pencilled it down for later).


> Would it be any use to provide the end of 
> the strace output for others to review and see why it may not be 
> working?  It's only when I add the SecChrootDir that strace apache bombs 
> out when it's strace'd.

   Sure, go ahead. I won't have much time to do any tests in the
   next two weeks but I can respond to emails (and strace dumps).

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org