Thread: [mod-security-users] Using SecChrootDir Directive
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Lee M. <le...@ub...> - 2005-04-29 17:26:00
|
I've looked at the modsecurity reference manual and would like to try using the SecChrootDir directive to chroot my apache installation. I'm not too familiar with chrooting daemons etc but do understand it's purpose for security. I'm just not sure about what I need for a directory structure in order to ensure modsecurity will chroot successfully. I'll try outline my step and some background. I'm running Apache 2.0.53 using mod_security 1.8.7. I've installed modsecurity successfully and it seems to be working using a very simple ruleset on my test box. Apache Installation: /usr/local/apache Document Root: /webs Apache Logs: /webs/logs Setting up SecChrootDir /chroot/apache Okay, this is probably the part I'm confused about, setting up the directories underneath the /chroot directory. Do I symbolic links to the apache install directory for each subfolder? what do I do about my document root and or logs directory? Should I use symbolic links for them as well? I guess this the part that I'm struggling with when setting up modsecurity to chroot apache. Any help would be appreciated. Thank You. |
|
From: Ivan R. <iv...@we...> - 2005-04-30 09:27:28
|
Lee Mehlhorn wrote: > > I'm running Apache 2.0.53 using mod_security 1.8.7. I've installed > modsecurity successfully and it seems to be working using a very simple > ruleset on my test box. > > Apache Installation: /usr/local/apache > Document Root: /webs > Apache Logs: /webs/logs > > Setting up SecChrootDir /chroot/apache > Okay, this is probably the part I'm confused about, setting up the > directories underneath the /chroot directory. Do I symbolic links to > the apache install directory for each subfolder? what do I do about my > document root and or logs directory? Should I use symbolic links for > them as well? You could put your document root into the jail: cd / mv /webs /chroot/apache/webs ln -s /chroot/apache/webs and try with: SecChrootDir /chroot/apache Everything else can remain outside jail but there are consequences (e.g. you won't be able to restart Apache, just stop-start it). You will probably need to have /chroot/apache/usr/local/apache/logs too, as Apache 2 attempts to create some files after the chroot and that's the default directory for them. There's extensive documentation available here: http://www.apachesecurity.net/download/apachesecurity-ch02.pdf -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Roman Medina-H. H. <ro...@rs...> - 2005-04-30 14:15:47
|
Ivan Ristic wrote: > SecChrootDir /chroot/apache > > Everything else can remain outside jail but there are consequences > (e.g. you won't be able to restart Apache, just stop-start it). And what about Perl/Python/* libraries needed for CGIs? Let's suppose we have cgi-bin directory inside chroot jail (for instance, /chroot/apache/www/cgi-bin). That's ok, but what will be happen when the invoked cgi try to execute /usr/bin/perl or moreover when it needs /usr/lib/perl/* files (all of them are out of the jail)? -- Saludos, -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] |
|
From: Ivan R. <iv...@we...> - 2005-04-30 15:20:28
|
Roman Medina-Heigl Hernandez wrote: > Ivan Ristic wrote: > > >> SecChrootDir /chroot/apache >> >> Everything else can remain outside jail but there are consequences >> (e.g. you won't be able to restart Apache, just stop-start it). > > And what about Perl/Python/* libraries needed for CGIs? Let's suppose we > have cgi-bin directory inside chroot jail (for instance, > /chroot/apache/www/cgi-bin). That's ok, but what will be happen when the > invoked cgi try to execute /usr/bin/perl or moreover when it needs > /usr/lib/perl/* files (all of them are out of the jail)? Nothing, it won't work. If you have a need for CGI scripts or any other type of external binary execution you will have to create a proper jail. You won't be needing mod_security. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: peceka <pe...@gm...> - 2005-06-02 11:45:29
|
Hi Ivan, > > Everything else can remain outside jail but there are consequences > (e.g. you won't be able to restart Apache, just stop-start it). > Why i'm not able to restart Apache? When using /usr/local/sbin/apachectl graceful All httpd processes die and in logs i've got: httpd: bad user name nobody But in httpd.conf: User www Group www TIA p. |
|
From: Ivan R. <iv...@we...> - 2005-06-02 11:58:41
|
peceka wrote: > Hi Ivan, > >> >> Everything else can remain outside jail but there are consequences >> (e.g. you won't be able to restart Apache, just stop-start it). >> > > Why i'm not able to restart Apache? For a restart to take place the main Apache process must be able to re-read the configuration. If the httpd.conf if outside jail it won't be able to access it. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ryan B. <rcb...@gm...> - 2005-06-02 12:03:27
|
The error message in the logs most likely indicates that the apache process is reading the chrooted httpd.conf file (which has the 'User nobody' directive set) and is checking this against the chrooted /etc/passwd file (which most likely does not not have an entry for the 'nobody' account). Try and trace/strace your apachectl command to verify which files it is accessing - # strace -f -e trace=3Dopen /usr/local/sbin/apachectl graceful --=20 Ryan C. Barnett Web Application Security Consortium (WASC) Member SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GCUX, GSEC On 6/2/05, peceka <pe...@gm...> wrote: > Hi Ivan, >=20 > > > > Everything else can remain outside jail but there are consequences > > (e.g. you won't be able to restart Apache, just stop-start it). > > >=20 > Why i'm not able to restart Apache? > When using /usr/local/sbin/apachectl graceful >=20 > All httpd processes die and in logs i've got: > httpd: bad user name nobody >=20 >=20 > But in httpd.conf: > User www > Group www >=20 >=20 > TIA >=20 > p. >=20 >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Yahoo. > Introducing Yahoo! Search Developer Network - Create apps using Yahoo! > Search APIs Find out how you can build Yahoo! directly into your own > Applications - visit http://developer.yahoo.net/?fr=3Doffad-ysdn-ostg-q22= 005 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
Thanks for helping keep SourceForge clean.
X