secondary groups unavailable after chroot

Hello there,

We ran into issues with mod_security, in that the secondary groups
information for the user account that Apache run under is unavailable after
chroot. This can be verified with a "pcred <pid>" call on the child process.

Debugging output with TRUSS showed that the system called: initgroups() is
called after chroot, in which case the /etc/group, /etc/users,
/etc/nsswitch.conf are not accessible anymore.

The current work around requires copying above configuration files, together
with some libraries into the chroot environment in order for it to work
properly.

Suggest a better fix can be made to mod_security code, so that it invokes
initgroups() call prior to chroot?

Thanks,
Cindy

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click

Re: secondary groups unavailable after chroot

Liu, Cindy wrote:

> Hello there,
> 
> We ran into issues with mod_security, in that the secondary groups
> information for the user account that Apache run under is unavailable after
> chroot. This can be verified with a "pcred <pid>" call on the child process.
> 
> Debugging output with TRUSS showed that the system called: initgroups() is
> called after chroot, in which case the /etc/group, /etc/users,
> /etc/nsswitch.conf are not accessible anymore.
> 
> The current work around requires copying above configuration files, together
> with some libraries into the chroot environment in order for it to work
> properly.
> 
> Suggest a better fix can be made to mod_security code, so that it invokes
> initgroups() call prior to chroot?

  Hmm, I doubt that will help. The second initgroups() call will
  probably happen anyway and I am pretty sure the process will try
  to read the group information again.

  Still, we can try. But you will have to give me the code you want
  to execute as I am not familiar with what initgroups() does or
  what it is used for. In fact, the code does not have to be a
  part of mod_security anyway. What you can do (or I can do for you,
  it doesn't matter) is write a tiny Apache module that executes
  whatever you need during the initialization phase. The result
  is the same, but this solution is more flexible.

make rule case sensitive

WebDAV Search Filter

(BTW, ModSec is a marvelous bit of code with great potential) 

How do I stop these? The converted snort rule (SecFilter "SEARCH "
log,pass) doesn't seem to work.

BTW, could someone explain what these are? The following is abbreviated.
This actually adds 30kb of crap to access_log.

68.109.42.191 - - [18/Sep/2004:04:41:34 -0400] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php

Re: WebDAV Search Filter

David Cary Hart wrote:

> (BTW, ModSec is a marvelous bit of code with great potential) 

  Thanks. What other features would you like to see in it?

> How do I stop these? The converted snort rule (SecFilter "SEARCH "
> log,pass) doesn't seem to work.

  You can't stop them using mod_security since Apache rejects
  such requests before they reach mod_security. Some future version
  may include functionality to install "early" filters.

> BTW, could someone explain what these are? The following is abbreviated.
> This actually adds 30kb of crap to access_log.
> 
> 68.109.42.191 - - [18/Sep/2004:04:41:34 -0400] "SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1

  Such requests are always responded to with a 414 error code. So what
  you can do is not log the request line in that case. Like this:

  LogFormat "%!414r" no414
  CustomLog logs/access_log no414

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php

Re: make rule case sensitive

modsecurity wrote:

> Is there any way to make a rule case sensitive? I'm trying to block
> commands like cd, wget, etc. Since the commands are case sensitive
> the rule needs to match cd but not CD for example. I'm trying to
> prevent false matches so if the rules could be made case sensitive
> that would be a huge help.

  That's not possible at this time. But you make a valid point - I've
  added the feature to my TODO list.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php

Re: WebDAV Search Filter

On Sun, 2004-09-19 at 13:46, Ivan Ristic wrote:
> David Cary Hart wrote:
> 
> > (BTW, ModSec is a marvelous bit of code with great potential) 
> 
>   Thanks. What other features would you like to see in it?

"Potential" refers to my learning curve; not the mod. The only thing I
would like to see (and it may already be there) is a simplification of
logging so that the whole thing could be incorporated into access_log. A
one line print like "[action] by mod_security at [rule]. Then I could
see everything in one place in chronological order. A good example of
this is the way that Postfix logs reject detail to maillog.

That said, using the "standard" ruleset plus some snort rules and
redirecting to the FBI's intel site, I see a noticeable - SIGNIFICANT -
reduction in attacks after just a few days. At one point, I was using a
combination of Swatch and Snort to write "drops" to IPTables as they
occurred. This was refreshed daily from the rotated snort logs so the
chain was always a seven day accumulation. Yet it contained over 425 IPs
on average. I've eliminated it along with all of the maintenance and
overhead.
> 
>   You can't stop them using mod_security since Apache rejects
>   such requests before they reach mod_security. Some future version
>   may include functionality to install "early" filters.
> 
Right. Snort sees these as they arrive. I'm not sure it's worth either
the effort or the additional complexity to add the "early" feature.
> 
> > BTW, could someone explain what these are? The following is abbreviated.
> > This actually adds 30kb of crap to access_log.
> > 
> > 68.109.42.191 - - [18/Sep/2004:04:41:34 -0400] "SEARCH
> > /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
> 
>   Such requests are always responded to with a 414 error code. So what
>   you can do is not log the request line in that case. Like this:
> 
>   LogFormat "%!414r" no414
>   CustomLog logs/access_log no414

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php

Re: WebDAV Search Filter

> "Potential" refers to my learning curve; not the mod. The only thing I
> would like to see (and it may already be there) is a simplification of
> logging so that the whole thing could be incorporated into access_log. A
> one line print like "[action] by mod_security at [rule]. Then I could
> see everything in one place in chronological order.

  You can do that using a custom log format. For example:

  LogFormat "%h %l %u %t \"%r\" %>s %b %{mod_security-message}i" modsec

  This will add mod_security messages at the end of each line
  of the access log.

>>>BTW, could someone explain what these are?

  I just saw this sentence :) SEARCH requests are attempts to
  exploit IIS WebDAV vulnerability, but I don't know which one.

  P.S. Your email server is rejecting direct emails from my
       email server with "Helo command rejected: [EHLO] No
       thanks.".

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php

Filter question

Hello guys,

I want the following filter but i can't figger it out exactly.
I want to check ARGS if there is http:// in it AND .txt OR.jpg OR .gif.
so it should match on all: 
id=http://www.ddddd.br/dc.jpg
id=http://www.ddddd.br/dc.txt
id=http://www.ddddd.br/dc.jpg

What should be the filter code to use?

Gerwin

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php

Re: Filter question

Gerwin Krist -|- Digitalus Webhosting wrote:
> Hello guys,
> 
> I want the following filter but i can't figger it out exactly.
> I want to check ARGS if there is http:// in it AND .txt OR.jpg OR .gif.
> so it should match on all: 
> id=http://www.ddddd.br/dc.jpg
> id=http://www.ddddd.br/dc.txt
> id=http://www.ddddd.br/dc.jpg
> 
> What should be the filter code to use?

  Try something like this:

  SecFilterSelective ARGS "(http:/).+(\.txt|\.jpg|\.gif)"
                                ^1     ^2

  1. Anti-evasion techniques mod_security uses will compress multiple
     forward slash characters to only one.

  2. Because the dot character has a special meaning in regular
     expressions you will want to escape it to neutralise it.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php