Skip to main content

ModSecurity DBM file access errors

Comments

24 comments

  • cPanelLauren
    In a lot of cases this is related to running mod_ruid2 which is incompatible with SecDataDir collections are you running mod_ruid2 on this server?
    0
  • marcuszan
    Hi, modsec is updated to v2.9.3 On their site they state this solves incompatibility issues with mod_ruid2 Permission problems using Apache2 MPM ITK " Issue #712 " SpiderLabs/ModSecurity However when I do a tail -100 /usr/local/apache/logs/error_log
    I still get errors like : ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/cpaneluser-global": Read-only file system
    Anyone also still has these issues after the v2.9.3 modsec update ? Thanks
    0
  • marcuszan
    any update on this or any fix ? thanks
    0
  • marcuszan
    Hi Lauren, First of all, thanks for you reply. As I removed the secdatadir/ and reinstalled modsec to debug some of this issues myself, or at least try to, the results might be a bit ' off ' regarding the datestamp of the files/folders I have tried to disable rules, set perm to 777 ( including the fix to have this done by cpanel hook and crontab to restore after cpanel update check etc.. ) I also tried to chown the secdatadir/ No luck. I did get beyond the permission denied and ended up with 'read only' filesystem as the best result. Emtying the complete /secdatadir and disabling modruid results in the creation of the new files in /secdatadir/ modsec runs errorless then. After enabling modruid, the erros show up again in apache error logs. Disabling some rules in modsec in WHM didnt help for me. [root@server ~]# stat /var/cpanel/secdatadir/ File: "/var/cpanel/secdatadir/" Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 903h/2307d Inode: 939199 Links: 2 Access: (0777/drwxrwxrwx) Uid: ( 0/ root) Gid: ( 99/ nobody) Access: 2019-06-12 04:57:11.005561845 -0400 Modify: 2019-06-12 04:56:41.955959060 -0400 Change: 2019-06-12 04:56:41.955959060 -0400 Birth: -
    for the second command.. [root@server ~]# stat /var/cpanel/secdatadir/* File: "/var/cpanel/secdatadir/cpaneluser1-global.dir" Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 903h/2307d Inode: 951329 Links: 1 Access: (0640/-rw-r-----) Uid: ( 1011/ cpaneluser1) Gid: ( 1013/ cpaneluser1) Access: 2019-06-12 04:42:00.162796784 -0400 Modify: 2019-06-12 04:42:00.162796784 -0400 Change: 2019-06-12 04:42:00.162796784 -0400 Birth: - File: "/var/cpanel/secdatadir/cpaneluser1-global.pag" Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 903h/2307d Inode: 951331 Links: 1 Access: (0640/-rw-r-----) Uid: ( 1011/ cpaneluser1) Gid: ( 1013/ cpaneluser1) Access: 2019-06-12 04:42:00.162796784 -0400 Modify: 2019-06-12 04:42:00.162796784 -0400 Change: 2019-06-12 04:42:00.162796784 -0400 Birth: - File: "/var/cpanel/secdatadir/cpaneluser1-ip.dir" Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 903h/2307d Inode: 951334 Links: 1 Access: (0640/-rw-r-----) Uid: ( 1011/ cpaneluser1) Gid: ( 1013/ cpaneluser1) Access: 2019-06-12 04:42:00.162796784 -0400 Modify: 2019-06-12 04:42:00.162796784 -0400 Change: 2019-06-12 04:42:00.162796784 -0400 Birth: - File: "/var/cpanel/secdatadir/cpaneluser1-ip.pag" Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 903h/2307d Inode: 951337 Links: 1 Access: (0640/-rw-r-----) Uid: ( 1011/ cpaneluser1) Gid: ( 1013/ cpaneluser1) Access: 2019-06-12 04:42:00.162796784 -0400 Modify: 2019-06-12 04:42:00.162796784 -0400 Change: 2019-06-12 04:42:00.162796784 -0400 Birth: -
    0
  • cPanelLauren
    Does the issue persist with mod_ruid2 removed? We did open a case with them today due to persisting issues with the use of ruid2 on version 2.9.3
    0
  • marcuszan
    When mod_ruid2 removed ( or even when jailed apache is disabled ), issue is solved. So it is 100% mod_ruid2 related on my server
    0
  • cPanelLauren
    Hi @marcuszan Then, in that case, It's definitely related to the case we opened with ModSecurity yesterday which is variable check/comparison isn't working in ruid2 " Issue #2117 " SpiderLabs/ModSecurity It looks like their patch for ruid2/ITK compatibility is still experiencing issues.
    0
  • marcuszan
    Hi @cPanelLauren , I do see this in the case you mention : ModSecurity version (and connector): ea-apache24-mod_security2-2.9.2-11.el7.cloudlinux.x86_64 I am using v2.9.3 instead of the v2.9.2
    0
  • cPanelLauren
    That's in reference to the testing server that was used to show how it works on 2.9.2 compared to 2.9.3 - this is definitely an issue with 2.9.3 We're going to get that clarified in the case as well.
    0
  • cetiner
    I use OWASP ModSecurity Core Rule Set ver.3.0.2 and have still the ModSecurity DBM file access errors. Using mod_ruid2. Did we have an solution for it right now ?
    0
  • cPanelLauren
    Hello @cetiner This is still unresolved, as of now in order to properly utilize rules that use SecDataDir collections you'll need to remove mod_ruid2
    0
  • cetiner
    Hello @cPanelLauren if I remove mod_ruid2 than I'm not able to use the jailed shells, right? Which of the both security possibilities do you prefer to use? Shell access is on my server available just in wordpress plans.... But on the other side the bad guys outside dont sleep and try to find security holes around the clock with theyr attacking softwares. The mod_sec logfiles are full of theyr tries. Brrrrr
    0
  • cPanelLauren
    You can still use Jailed shells, you just wouldn't be using mod_ruid2 and cPanel Jailshell to do so. Specifically this option: EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel" jailshell. If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel" jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts. Reading /proc/mounts can be quite expensive when it becomes large.
    Jailshell and cPanel Jailshell are both still viable options.
    0
  • marcuszan
    You can still use Jailed shells, you just wouldn't be using mod_ruid2 and cPanel Jailshell to do so. Specifically this option: EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel" jailshell. If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel" jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts. Reading /proc/mounts can be quite expensive when it becomes large.
    Jailshell and cPanel Jailshell are both still viable options.

    So when I leave modruid2 installed as module, but disable the setting in Tweaks > EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel" jailshell. Then I can still manually set all shell access to 'jail' or 'disabled' per user. Will this work as symlink protection ? Thanks
    0
  • marcuszan
    Hi, any update on this ? Thanks
    0
  • cPanelLauren
    Hello, I think the documentation here is useful:
    0
  • marcuszan
    Thanks. To be specific, what I dont fully understand. When I disable 'experimental jailed shell' in " tweak settings " I will get the message in 'security advisor' I am not protected against symlink attack becasue 'jailed Apache ' is not enabled. But in this situation with the experimental setting disabled, I can still have ' shell disabled ' in the ' manage shell access' settings. Do I have any kind of protection against symlink in this situation ? thanks
    0
  • cPanelLauren
    The setting is detailed here: Tweak Settings - Version 84 Documentation - cPanel Documentation under the security tab. This will provide symlink protection because of the way it segments the VirtualHosts. Keep in mind this is an experimental feature. The part I think may be confusing is the explanation of the bind mounts here: [QUOTE]If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel" jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts. Reading /proc/mounts can be quite expensive when it becomes large.
    This is just detailing that each user set to Jailshell or noshell will have 14 bind mounts and if you have a large number of bind mounts it can become resource intensive.
    But in this situation with the experimental setting disabled, I can still have ' shell disabled ' in the ' manage shell access' settings. Do I have any kind of protection against symlink in this situation ?

    With it disabled and without external symlink protection like Kernelcare's free symlink patch - no you do not.
    0
  • marcuszan
    First ..best wishes all for 2020 Is there any movement in the mod_sec and mod_ruid2 compatibility issues ? It has been quiet in this thread and I really hope this issue can be resolved someday. Thanks
    0
  • marcuszan
    @cPanelLauren any new info on this ? Thanks !
    0
  • cPanelLauren
    Hello @marcuszan There have been no updates to this, the last response from them indicated that they believe the issue to be specific to the rule - you can read about it here: variable check/comparison isn't working in ruid2 " Issue #2121 " SpiderLabs/ModSecurity
    0
  • marcuszan
    Hi, after a year I still have the same errors in apache logs > ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/cpaneluser-ip": Read-only file system
    Any update from cpanel or any other info available on this ? Thanks
    0
  • cPRex Jurassic Moderator
    I don't see that there have been any updates to this issue. It might be worth adding a comment directly on the GitHub thread so they are aware this is still causing issues for users.
    0

Please sign in to leave a comment.