store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Nov 23, 2014 12:28 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 83 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6
Author Message
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Wed Apr 13, 2011 4:38 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
assuming that it loads all the files in conf.d in alphabetical order it should be loading mod_sec first

Code:

000_mod_sed.conf
00_mod_security.conf
01_mod_security_changes.conf
bw.conf
echo.conf
fcgid.conf
jk.conf
manual.conf
mod_cband.conf
mod_evasive.conf
modhostinglimits.conf
ossec.conf
perl.conf
php_cgi.conf
php.conf
proxy_ajp.conf
python.conf
ruid2.conf
server-status.conf
ssl.conf
webalizer.conf
welcome.conf
zz010_psa_httpd.conf



Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Wed Apr 13, 2011 5:34 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
hostingguy wrote:
Hi,
it does seem to fix the issue with mod_jk and php as fcgi as it no longer throws a seg fault and is able to load the pages again, although it may be too early to conclude that its a solid 100% fix, but so far so good.


It looks like I spoke too soon - tomcat via mod_jk is still throwing seg faults and causing pages to not load.

I did this:
Code:
echo "umask 0" >> /etc/sysconfig/httpd
echo "SecAuditLogDirMode 0777" > /etc/httpd/conf.d/01_mod_security_changes.conf
service httpd configtest && service httpd stop && service httpd start


and httpd did restart ok with OK syntax

Here is my config file
/etc/httpd/conf.d/ruid2.conf
Code:
LoadModule ruid2_module modules/mod_ruid2.so
<IfModule mod_ruid2.c>
    RMode stat
    RDefaultUidGid apache apache
    RUidGid apache apache
    RGroups apache psaserv psacln
</IfModule>


it looks like the same as before, but posting this one just in case its different

This is from /var/log/httpd/error_log
Code:
[Wed Apr 13 14:31:32 2011] [error] (13)Permission denied: apr_global_mutex_lock(jk_log_lock) failed
[Wed Apr 13 14:31:33 2011] [notice] child pid 27071 exit signal Segmentation fault (11), possible coredump in /tmp


/var/log/tomcat5/catalina.out is empty

here is the bt and bt full from one dump
Code:
Core was generated by `/usr/sbin/httpd'.
Program terminated with signal 11, Segmentation fault.
#0  0x00002b9cab9dba10 in ap_log_rerror ()
(gdb) bt
#0  0x00002b9cab9dba10 in ap_log_rerror ()
#1  0x00002b9cb3ff3200 in jk_tcp_socket_recvfull () from /usr/lib64/httpd/modules/mod_jk.so
#2  0x00002b9cb3ffad3f in jk_log () from /usr/lib64/httpd/modules/mod_jk.so
#3  0x00002b9cb40015f9 in map_uri_to_worker () from /usr/lib64/httpd/modules/mod_jk.so
#4  0x00002b9cb3ff2734 in jk_tcp_socket_recvfull () from /usr/lib64/httpd/modules/mod_jk.so
#5  0x00002b9cab9d1c22 in ap_run_map_to_storage ()
#6  0x00002b9cab9d2d8c in ap_process_request_internal ()
#7  0x00002b9cab9d3110 in ap_sub_req_lookup_file ()
#8  0x00002b9cb11732c2 in ap_log_rerror () from /etc/httpd/modules/mod_include.so
#9  0x00002b9cb116f5e8 in ap_log_rerror () from /etc/httpd/modules/mod_include.so
#10 0x00002b9cab9cf5dd in ?? ()
#11 0x00002b9cab9d6a0a in ap_run_handler ()
#12 0x00002b9cab9d9e98 in ap_invoke_handler ()
#13 0x00002b9cab9e4958 in ap_process_request ()
#14 0x00002b9cab9e1b90 in ?? ()
#15 0x00002b9cab9ddcb2 in ap_run_process_connection ()
#16 0x00002b9cab9e8809 in ?? ()
#17 0x00002b9cab9e8a9a in ?? ()
#18 0x00002b9cab9e92fd in ap_mpm_run ()
#19 0x00002b9cab9c3e48 in main ()
(gdb) bt full
#0  0x00002b9cab9dba10 in ap_log_rerror ()
No symbol table info available.
#1  0x00002b9cb3ff3200 in jk_tcp_socket_recvfull () from /usr/lib64/httpd/modules/mod_jk.so
No symbol table info available.
#2  0x00002b9cb3ffad3f in jk_log () from /usr/lib64/httpd/modules/mod_jk.so
No symbol table info available.
#3  0x00002b9cb40015f9 in map_uri_to_worker () from /usr/lib64/httpd/modules/mod_jk.so
No symbol table info available.
#4  0x00002b9cb3ff2734 in jk_tcp_socket_recvfull () from /usr/lib64/httpd/modules/mod_jk.so
No symbol table info available.
#5  0x00002b9cab9d1c22 in ap_run_map_to_storage ()
No symbol table info available.
#6  0x00002b9cab9d2d8c in ap_process_request_internal ()
No symbol table info available.
#7  0x00002b9cab9d3110 in ap_sub_req_lookup_file ()
No symbol table info available.
#8  0x00002b9cb11732c2 in ap_log_rerror () from /etc/httpd/modules/mod_include.so
No symbol table info available.
#9  0x00002b9cb116f5e8 in ap_log_rerror () from /etc/httpd/modules/mod_include.so
No symbol table info available.
#10 0x00002b9cab9cf5dd in ?? ()
No symbol table info available.
#11 0x00002b9cab9d6a0a in ap_run_handler ()
No symbol table info available.
#12 0x00002b9cab9d9e98 in ap_invoke_handler ()
No symbol table info available.
#13 0x00002b9cab9e4958 in ap_process_request ()
No symbol table info available.
#14 0x00002b9cab9e1b90 in ?? ()
No symbol table info available.
#15 0x00002b9cab9ddcb2 in ap_run_process_connection ()
No symbol table info available.
#16 0x00002b9cab9e8809 in ?? ()
No symbol table info available.
#17 0x00002b9cab9e8a9a in ?? ()
No symbol table info available.
#18 0x00002b9cab9e92fd in ap_mpm_run ()
No symbol table info available.
#19 0x00002b9cab9c3e48 in main ()
No symbol table info available.



Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Thu Apr 14, 2011 6:08 am 
Offline
Forum User
Forum User

Joined: Wed Jan 05, 2011 3:09 pm
Posts: 43
hostingguy wrote:
So I guess I take some of that back - even with those changes I still see some mod_sec errors

Code:
[Wed Apr 13 12:14:53 2011] [error] [client 95.108.150.235] ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20110413/20110413-1214 (Permission denied) [hostname "domain.com"] [uri "/error/noindex.html"] [unique_id "n5Z2PAoHRiwAAGNubPUAAAAD"]


In regards to the above, as the " /var/asl/data/audit/20110413" directory was already created it wont have had the 777 permissions, you should find that now its rolled over into the 14th that this is now correct.

Do a ls -la /var/asl/data/audit/ and check the permissions on the directory.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Thu Apr 14, 2011 9:29 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
unfortunately with mod_jk and fcgi not working, mod_sec is the least of the problem so I had to disable ruid.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Thu Apr 14, 2011 1:29 pm 
Offline
Forum User
Forum User

Joined: Wed Jan 05, 2011 3:09 pm
Posts: 43
mod_jk understandable if you have people using that.

But ruid2 is an alternative to php under fcgid really, so that shouldnt really be needed when using ruid2 anyway. And plesks implementation of php under fcgid is so bad anyway im really not sure why you would be using it .

If your using RoR under fcgid then well - thats just wrong - mod_passenger with Ruby Enterprise is so easy to setup so no real issues there.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Thu Apr 14, 2011 1:34 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
keep in mind its not what "I" am doing - we have dozens of servers with hundreds of customers so its what "they" are doing.

We have a vanilla installation of Plesk 9.5 so ideally what ever this mod does should play nice with Plesk. Plesk aslo states that fcgi is required for ruby, but I would be more than happy to remove fcgi as an option for php - however that still doesnt solve the potential problems with ruby, and the actual problems with tomcat.

I do appreciate your assistance though, and ideally I would love to get this working - preferably in stat mode.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Thu Apr 14, 2011 1:41 pm 
Offline
Forum User
Forum User

Joined: Wed Jan 05, 2011 3:09 pm
Posts: 43
Ruby under fastcgi = RoR (Ruby on Rails), it is about the worst method to run it.

Take a look at REE + Mod_passenger by far the best method.

But as for java, im afraid we stopped allowing it, nightmare to debug, plesk installation is so non standard, loads of simple things like fonts missing - caused nothing but grief.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Fri Apr 15, 2011 12:26 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
also I found that Apache asp didn't work right either, we had several people report some issues there as well :(

Since RUID2 is now disabled should any of these changes be reverted or modified?

Code:
echo "umask 0" >> /etc/sysconfig/httpd
echo "SecAuditLogDirMode 0777" > /etc/httpd/conf.d/01_mod_security_changes.conf


Ever since this I see a lot of rootcheck emails coming through ossec saying that peoples log files are world writable
Code:
Received From: my-web-server->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

File '/var/www/vhosts/domain.com/statistics/logs/error_log' is owned by root and has written permissions to anyone.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 83 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group