[atomic] mod_ruid2 0.9.1-1

Atomic repository announcements, new release notifications and other news regarding the atomic yum repository.
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by hostingguy »

assuming that it loads all the files in conf.d in alphabetical order it should be loading mod_sec first

Code: Select all


000_mod_sed.conf
00_mod_security.conf
01_mod_security_changes.conf
bw.conf
echo.conf
fcgid.conf
jk.conf
manual.conf
mod_cband.conf
mod_evasive.conf
modhostinglimits.conf
ossec.conf
perl.conf
php_cgi.conf
php.conf
proxy_ajp.conf
python.conf
ruid2.conf
server-status.conf
ssl.conf
webalizer.conf
welcome.conf
zz010_psa_httpd.conf

hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by hostingguy »

hostingguy wrote:Hi,
it does seem to fix the issue with mod_jk and php as fcgi as it no longer throws a seg fault and is able to load the pages again, although it may be too early to conclude that its a solid 100% fix, but so far so good.
It looks like I spoke too soon - tomcat via mod_jk is still throwing seg faults and causing pages to not load.

I did this:

Code: Select all

echo "umask 0" >> /etc/sysconfig/httpd
echo "SecAuditLogDirMode 0777" > /etc/httpd/conf.d/01_mod_security_changes.conf
service httpd configtest && service httpd stop && service httpd start
and httpd did restart ok with OK syntax

Here is my config file
/etc/httpd/conf.d/ruid2.conf

Code: Select all

LoadModule ruid2_module modules/mod_ruid2.so
<IfModule mod_ruid2.c>
    RMode stat
    RDefaultUidGid apache apache
    RUidGid apache apache
    RGroups apache psaserv psacln
</IfModule>
it looks like the same as before, but posting this one just in case its different

This is from /var/log/httpd/error_log

Code: Select all

[Wed Apr 13 14:31:32 2011] [error] (13)Permission denied: apr_global_mutex_lock(jk_log_lock) failed
[Wed Apr 13 14:31:33 2011] [notice] child pid 27071 exit signal Segmentation fault (11), possible coredump in /tmp
/var/log/tomcat5/catalina.out is empty

here is the bt and bt full from one dump

Code: Select all

Core was generated by `/usr/sbin/httpd'.
Program terminated with signal 11, Segmentation fault.
#0  0x00002b9cab9dba10 in ap_log_rerror ()
(gdb) bt
#0  0x00002b9cab9dba10 in ap_log_rerror ()
#1  0x00002b9cb3ff3200 in jk_tcp_socket_recvfull () from /usr/lib64/httpd/modules/mod_jk.so
#2  0x00002b9cb3ffad3f in jk_log () from /usr/lib64/httpd/modules/mod_jk.so
#3  0x00002b9cb40015f9 in map_uri_to_worker () from /usr/lib64/httpd/modules/mod_jk.so
#4  0x00002b9cb3ff2734 in jk_tcp_socket_recvfull () from /usr/lib64/httpd/modules/mod_jk.so
#5  0x00002b9cab9d1c22 in ap_run_map_to_storage ()
#6  0x00002b9cab9d2d8c in ap_process_request_internal ()
#7  0x00002b9cab9d3110 in ap_sub_req_lookup_file ()
#8  0x00002b9cb11732c2 in ap_log_rerror () from /etc/httpd/modules/mod_include.so
#9  0x00002b9cb116f5e8 in ap_log_rerror () from /etc/httpd/modules/mod_include.so
#10 0x00002b9cab9cf5dd in ?? ()
#11 0x00002b9cab9d6a0a in ap_run_handler ()
#12 0x00002b9cab9d9e98 in ap_invoke_handler ()
#13 0x00002b9cab9e4958 in ap_process_request ()
#14 0x00002b9cab9e1b90 in ?? ()
#15 0x00002b9cab9ddcb2 in ap_run_process_connection ()
#16 0x00002b9cab9e8809 in ?? ()
#17 0x00002b9cab9e8a9a in ?? ()
#18 0x00002b9cab9e92fd in ap_mpm_run ()
#19 0x00002b9cab9c3e48 in main ()
(gdb) bt full
#0  0x00002b9cab9dba10 in ap_log_rerror ()
No symbol table info available.
#1  0x00002b9cb3ff3200 in jk_tcp_socket_recvfull () from /usr/lib64/httpd/modules/mod_jk.so
No symbol table info available.
#2  0x00002b9cb3ffad3f in jk_log () from /usr/lib64/httpd/modules/mod_jk.so
No symbol table info available.
#3  0x00002b9cb40015f9 in map_uri_to_worker () from /usr/lib64/httpd/modules/mod_jk.so
No symbol table info available.
#4  0x00002b9cb3ff2734 in jk_tcp_socket_recvfull () from /usr/lib64/httpd/modules/mod_jk.so
No symbol table info available.
#5  0x00002b9cab9d1c22 in ap_run_map_to_storage ()
No symbol table info available.
#6  0x00002b9cab9d2d8c in ap_process_request_internal ()
No symbol table info available.
#7  0x00002b9cab9d3110 in ap_sub_req_lookup_file ()
No symbol table info available.
#8  0x00002b9cb11732c2 in ap_log_rerror () from /etc/httpd/modules/mod_include.so
No symbol table info available.
#9  0x00002b9cb116f5e8 in ap_log_rerror () from /etc/httpd/modules/mod_include.so
No symbol table info available.
#10 0x00002b9cab9cf5dd in ?? ()
No symbol table info available.
#11 0x00002b9cab9d6a0a in ap_run_handler ()
No symbol table info available.
#12 0x00002b9cab9d9e98 in ap_invoke_handler ()
No symbol table info available.
#13 0x00002b9cab9e4958 in ap_process_request ()
No symbol table info available.
#14 0x00002b9cab9e1b90 in ?? ()
No symbol table info available.
#15 0x00002b9cab9ddcb2 in ap_run_process_connection ()
No symbol table info available.
#16 0x00002b9cab9e8809 in ?? ()
No symbol table info available.
#17 0x00002b9cab9e8a9a in ?? ()
No symbol table info available.
#18 0x00002b9cab9e92fd in ap_mpm_run ()
No symbol table info available.
#19 0x00002b9cab9c3e48 in main ()
No symbol table info available.

ikkk
Forum User
Forum User
Posts: 47
Joined: Wed Jan 05, 2011 3:09 pm

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by ikkk »

hostingguy wrote:So I guess I take some of that back - even with those changes I still see some mod_sec errors

Code: Select all

[Wed Apr 13 12:14:53 2011] [error] [client 95.108.150.235] ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20110413/20110413-1214 (Permission denied) [hostname "domain.com"] [uri "/error/noindex.html"] [unique_id "n5Z2PAoHRiwAAGNubPUAAAAD"]
In regards to the above, as the " /var/asl/data/audit/20110413" directory was already created it wont have had the 777 permissions, you should find that now its rolled over into the 14th that this is now correct.

Do a ls -la /var/asl/data/audit/ and check the permissions on the directory.
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by hostingguy »

unfortunately with mod_jk and fcgi not working, mod_sec is the least of the problem so I had to disable ruid.
ikkk
Forum User
Forum User
Posts: 47
Joined: Wed Jan 05, 2011 3:09 pm

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by ikkk »

mod_jk understandable if you have people using that.

But ruid2 is an alternative to php under fcgid really, so that shouldnt really be needed when using ruid2 anyway. And plesks implementation of php under fcgid is so bad anyway im really not sure why you would be using it .

If your using RoR under fcgid then well - thats just wrong - mod_passenger with Ruby Enterprise is so easy to setup so no real issues there.
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by hostingguy »

keep in mind its not what "I" am doing - we have dozens of servers with hundreds of customers so its what "they" are doing.

We have a vanilla installation of Plesk 9.5 so ideally what ever this mod does should play nice with Plesk. Plesk aslo states that fcgi is required for ruby, but I would be more than happy to remove fcgi as an option for php - however that still doesnt solve the potential problems with ruby, and the actual problems with tomcat.

I do appreciate your assistance though, and ideally I would love to get this working - preferably in stat mode.
ikkk
Forum User
Forum User
Posts: 47
Joined: Wed Jan 05, 2011 3:09 pm

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by ikkk »

Ruby under fastcgi = RoR (Ruby on Rails), it is about the worst method to run it.

Take a look at REE + Mod_passenger by far the best method.

But as for java, im afraid we stopped allowing it, nightmare to debug, plesk installation is so non standard, loads of simple things like fonts missing - caused nothing but grief.
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by hostingguy »

also I found that Apache asp didn't work right either, we had several people report some issues there as well :(

Since RUID2 is now disabled should any of these changes be reverted or modified?

Code: Select all

echo "umask 0" >> /etc/sysconfig/httpd
echo "SecAuditLogDirMode 0777" > /etc/httpd/conf.d/01_mod_security_changes.conf
Ever since this I see a lot of rootcheck emails coming through ossec saying that peoples log files are world writable

Code: Select all

Received From: my-web-server->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

File '/var/www/vhosts/domain.com/statistics/logs/error_log' is owned by root and has written permissions to anyone.
Post Reply