Thread: [mod-security-users] mod_ssl: Child could not open SSLMutex lockfile
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Thai D. <th...@gm...> - 2005-05-11 17:50:38
|
Hi guys, When I chroot my Apache 1.3.x with mod_security, it kept reporting that=20 error. I have searched through this list and found that this error had been= =20 reported one but still there is no solution rite?=20 It seems that this problem only occurs in Apache 1.3, I have sucessfully=20 chroot Apache 2.0 with mod_ssl without any problem before. Here is my=20 modsec.conf which is included at the end of httpd.conf -----------snip------------- # Yes, we want to use mod_security ClearModuleList AddModule mod_security.c AddModule mod_env.c AddModule mod_log_config.c AddModule mod_mime.c AddModule mod_negotiation.c AddModule mod_access.c AddModule mod_auth.c AddModule mod_setenvif.c AddModule mod_ssl.c AddModule mod_php4.c SecFilterEngine On SecServerSignature "Microsoft IIS/5.0" SecChrootDir /chroot/jail ---snip------------ Any suggestion? TIA, -T |
|
From: Ivan R. <iv...@we...> - 2005-05-23 09:42:07
|
Thai Duong wrote: > Hi guys, > > When I chroot my Apache 1.3.x with mod_security, it kept reporting that > error. I have searched through this list and found that this error had > been reported one but still there is no solution rite? > > It seems that this problem only occurs in Apache 1.3, I have sucessfully > chroot Apache 2.0 with mod_ssl without any problem before. Here is my > modsec.conf which is included at the end of httpd.conf > > -----------snip------------- > > # Yes, we want to use mod_security > ClearModuleList > AddModule mod_security.c > AddModule mod_env.c > AddModule mod_log_config.c > AddModule mod_mime.c > AddModule mod_negotiation.c > AddModule mod_access.c > AddModule mod_auth.c > AddModule mod_setenvif.c > AddModule mod_ssl.c > AddModule mod_php4.c > > SecFilterEngine On > > SecServerSignature "Microsoft IIS/5.0" > > SecChrootDir /chroot/jail > > ---snip------------ > > Any suggestion? Use strace to find out what is mod_ssl trying to do. How does your directory structure look like? Show us both, the one outside jail and the one in /chroot/jail. > Anyway, I found a solution, just set SSLMutex directive to none, it > works like a charm. FYI with SSLMutex set to none the SSL session cache can become corrupted from time to time. > FYI, I encountered a lot of problems when using mod_security as a > static module of both apache 1.3.x and httpd 2.x. Most of the problems > are with the mod_ssl module (also compiled statically). mod_ssl > complained that it could not open its SSLMutex, and when I set > SSLMutext to none, it continued complained that it could not write to > the scache directory, which I have created both in the chroot jail and > the original path. I also chowned these directories to apache but > still no luck. It seems that mod_security is not made to use as a > static module/in a static server (I meant a server that all modules > are compiled statically), rite? In my experience, it does not matter if Apache is compiled statically or the modules are loaded at runtime. It is only the order of initialisation that matters. Consequently, mod_security should work equally well in both cases. The problems you are experiencing are due to the fact mod_ssl needs to work with certain files (the cache files and the mutex) after chroot takes place. You simply need a correct directory structure for that to happen. Again, the use of strace would pinpoint the problem. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: peceka <pe...@gm...> - 2005-05-27 15:05:47
|
Hi Ivan,
I've got this same error (FreeBSD and apache+mod_ssl-1.3.33+2.8.22).
In httpd.conf I've got:
<IfModule mod_security.c>
SecChrootLock modsec_chroot.lock
SecChrootDir /usr/chroot/apache
</IfModule>
When I hadn't go SecChrootLock in my /var/log/httpd-error.log i've got:
[Fri May 27 16:14:37 2005] [info] mod_unique_id: using ip 1.2.3.4
[Fri May 27 16:14:38 2005] [error] mod_security: unable to create chroot
lock "/usr/local/logs/modsec_chroot.lock", errno=2(No such file or
directory)
even if i've got /usr/local/logs in my /usr/chroot/apache...
So I've added SecChrootLock modsec_chroot.lock and now it's ok.
But returning to main topic ;)
web2# ls -lR /usr/chroot/apache/
total 4
drwxr-xr-x 3 root wheel 512 May 27 16:08 usr
drwxr-xr-x 3 root wheel 512 May 27 15:59 var
/usr/chroot/apache/usr:
total 2
drwxr-xr-x 3 root wheel 512 May 27 16:09 local
/usr/chroot/apache/usr/local:
total 2
drwxr-xr-x 3 root wheel 512 May 27 16:09 logs
/usr/chroot/apache/usr/local/logs:
total 2
drwxr-xr-x 2 www www 512 May 27 16:09 ssl_scache
/usr/chroot/apache/usr/local/logs/ssl_scache:
total 0
/usr/chroot/apache/var:
total 2
drwxrwxrwx 2 root wheel 512 May 27 16:14 run
/usr/chroot/apache/var/run:
total 0
And now after staring Apache i've got in /var/log/httpd-error.log:
[Fri May 27 16:42:56 2005] [info] mod_unique_id: using ip addr 1.2.3.4
[Fri May 27 16:42:57 2005] [notice] mod_security: chroot checkpoint #1
(pid=4068 ppid=4061)
[Fri May 27 16:42:57 2005] [info] (2)No such file or directory:
make_sock: for port 443, setsockopt: (SO_ACCEPTFILTER)
[Fri May 27 16:42:57 2005] [info] (2)No such file or directory:
make_sock: for port 80, setsockopt: (SO_ACCEPTFILTER)
[Fri May 27 16:42:57 2005] [warn] pid file /var/run/httpd.pid
overwritten -- Unclean shutdown of previous Apache run?
[Fri May 27 16:42:57 2005] [info] mod_unique_id: using ip addr 1.2.3.4
[Fri May 27 16:42:58 2005] [notice] mod_security: chroot checkpoint #2
(pid=4069 ppid=1)
[Fri May 27 16:42:58 2005] [notice] mod_security: chroot successful,
path=/usr/chroot/apache
[Fri May 27 16:42:58 2005] [notice] Microsoft-IIS/5.0 configured --
resuming normal operations
[Fri May 27 16:42:58 2005] [error] mod_ssl: Child could not open
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:42:58 2005] [error] mod_ssl: Child could not open
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:42:58 2005] [error] mod_ssl: Child could not open
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:42:58 2005] [error] mod_ssl: Child could not open
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:42:58 2005] [error] mod_ssl: Child could not open
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:42:58 2005] [info] Server built: May 8 2005 08:16:10
[Fri May 27 16:42:58 2005] [error] System: No such file or directory
(errno: 2)
[Fri May 27 16:42:58 2005] [error] System: No such file or directory
(errno: 2)
[Fri May 27 16:42:58 2005] [error] System: No such file or directory
(errno: 2)
[Fri May 27 16:42:58 2005] [error] System: No such file or directory
(errno: 2)
[Fri May 27 16:42:58 2005] [error] System: No such file or directory
(errno: 2)
[Fri May 27 16:42:58 2005] [notice] Accept mutex: flock (Default: flock)
[Fri May 27 16:42:59 2005] [error] mod_ssl: Child could not open
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:42:59 2005] [error] System: No such file or directory
(errno: 2)
[Fri May 27 16:43:00 2005] [error] mod_ssl: Child could not open
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:43:00 2005] [error] mod_ssl: Child could not open
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:43:00 2005] [error] System: No such file or directory
(errno: 2)
[Fri May 27 16:43:00 2005] [error] System: No such file or directory
(errno: 2)
[Fri May 27 16:43:01 2005] [error] mod_ssl: Child could not open
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
I think that i've got correct directory structure and Apache have got
perm to write in dirs...
Best Regards,
p.
|
|
From: Ivan R. <iv...@we...> - 2005-05-27 16:51:42
|
peceka wrote:
> Hi Ivan,
> I've got this same error (FreeBSD and apache+mod_ssl-1.3.33+2.8.22).
OK, I have figured it out. But first here's a step-by-step guide
that I've always been using and that always worked:
I've just made a fresh install of Apache 1.3.33 + mod_ssl
mod_ssl-2.8.22-1.3.33 + mod_security 1.8.7. Here is what I did:
---
tar zxvf apache_1.3.33.tar.gz
tar zxvf mod_ssl-2.8.22-1.3.33.tar.gz
tar zxvf modsecurity-1.8.7.tar.gz
cd mod_ssl-2.8.22-1.3.33
./configure --with-apache=../apache_1.3.33
cd ../cd apache_1.3.33
./configure \
--prefix=/usr/local/apache \
--enable-module=ssl \
--enable-module=so
make
make certificate
make install
/usr/local/apache/bin/apachectl startssl
[Made sure Apache + SSL works]
/usr/local/apache/bin/apachectl stop
cd /usr/local/src/modsecurity-1.8.7/apache1/
/usr/local/apache/bin/apxs -cia mod_security.c
[Added SecChrootDir /chroot/apache to the end of httpd.conf]
mkdir -p /chroot/apache/usr/local
cd /usr/local
mv apache /chroot/apache/usr/local
ln -s /chroot/apache/usr/local/apache
/usr/local/apache/bin/apachectl startssl
[Woohoo!]
---
Anyway, back to the problem. It appears that mod_ssl creates the
lockfile before the chroot takes place, closes it, and then wants to
open it again later, after the chroot. It's not smart enough to create a
new lock file if it doesn't find one. So if you are attempting to create
an Apache jail that leaves its logs/ folder outside you get the error
message. There are two solutions:
1) Easy - use "SSLMutex sem"
2) Dirty - move the logs/ folder into the jail, and create a symlink
to it from the outside (like I did with the main Apache
folder in the example above). It is not necessary to move
all logs into the jail - you can tell mod_ssl (using
SSLMutex file:/xxx) to place the mutex files somewhere else.
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
|
From: K V. <kva...@se...> - 2005-06-14 23:25:55
|
Thai Duong <thaidn <at> gmail.com> writes: > > Hi guys, > When I chroot my Apache 1.3.x with mod_security, it kept reporting that > error. I have searched through this list and found that this error had > been reported one but still there is no solution rite? > It seems that this problem only occurs in Apache 1.3, I have > sucessfully chroot Apache 2.0 with mod_ssl without any problem before. > Here is my modsec.conf which is included at the end of httpd.conf > -----------snip------------- > # Yes, we want to use mod_security > ClearModuleList > AddModule mod_security.c > AddModule ... > SecFilterEngine On > > SecServerSignature "Microsoft IIS/5.0" > > SecChrootDir /chroot/jail > ---snip------------ > Any suggestion? > TIA, > -T Our local guru solved this by creating a symbolic link in the chroot jail directory, to itself, called the same (magic, don't ask me). So, chroot jail directory is /XXX, so we cd /XXX ln -s . XXX It works. |
Thanks for helping keep SourceForge clean.
X