Failed to access DBM file Permission denied

[Benjamin D.]

CentOS 7.5 WHM 72.0 Apache 2.4 suphp (7.1)

Logs are filling with this, following a server migration. Logs never showed that on the older server, same configuration (at least what I think it is, but obviously SOMETHING is different now) :

ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/global": Permission denied

No, I do not use mod_ruid2

 

[24x7server]

Hi,

Can you share with the output of the below command:
# ls -ld /var/cpanel/secdatadir/global

 

[Benjamin D.]

No, because: ls: cannot access /var/cpanel/secdatadir/global: No such file or directory

 

[cPanelLauren]

Hi @Benjamin D.

Does /var/cpanel/secdatadir/ exist? If so can you give me the output of the following:

ls -lah /var/cpanel/secdatadir/

Thanks!

 

[Benjamin D.]

[[email protected] ~]# ls -lah /var/cpanel/secdatadir/
total 16K
drwxrwx--T 2 root nobody 4.0K Jul 30 12:00 .
drwx--x--x 106 root root 12K Jul 30 12:42 ..
-rw-r----- 1 root root 0 Jul 23 21:34 global.dir
-rw-r----- 1 root root 0 Jul 23 21:34 global.pag
-rwxr-xr-x 1 nobody nobody 0 Jul 30 12:00 ip.dir
-rwxr-xr-x 1 nobody nobody 0 Jul 30 12:00 ip.pag

 

[cPanelLauren]

Hi @Benjamin D.

Can you please change the ownership of the global.dir and the global.pag files to nobody UID/GID:

chown nobody:nobody global.pag
chown nobody:nobody global.dir

and let me know if that resolves the issue.

 

[Benjamin D.]

FINALLY. Thank god, this will give a break to the hard drives... now please cPanel, can anybody add these 2 aforementioned commands to the WHM installation process?

THANK GOD (and/or @cPanelLauren !) this is resolved ;-)

Please mark as resolved. Why so fast? Because the second I chown'ed the previously mentioned files, hundreds of these lines a second stopped filling up the log :P

 

[cPanelLauren]

Hi @Benjamin D.

I'm pretty sure I haven't laughed that hard in a while, I'm glad that resolved the issue. I need to do some more testing but I found a ticket internally where this occurred as well. That shouldn't be happening. For my information can you tell me the MPM you're using, how long ago this server was provisioned as well (i know it's the new server but was it live before you migrated your sites to it?), can you also tell me what version of the OWASP ruleset you're using, as well as any alternates/custom rulesets that may be provisioned?

Thanks!

 

[Benjamin D.]

The server's hard drives were partitioned, formated and its OS (CentOS 7.5) was installed on wednesday the 25th (5 days ago). No sites were running on this server before cPanel was installed. Sites were running on the older server for years. Installing cPanel was the very first thing I did immediately after booting successfully in CentOS 7.5 for the first time following the hard drive partitionning and OS installation. Sites were all transferred using the "Transfer Tool" from server-A to server-B both on WHM 72.0 and this transfer process generated a bunch of issues that I still get to slowly fix, many of these were reported as forum posts on here by me over the last 5 days. Some still unresolved SO FEEL FREE TO CHECK THEM OUT! ;-) ;-)

MPM = Apache 2.4 is that what you wanted? Please explain further if this is not what you're after.

OWASP = OWASP ModSecurity Core Rule Set V3.0 / 100% vanilla/default rules set (no additional rule, no custom rule) except that I had to disable 4 rules that are really annoying, almost totally useless and interfering A LOT with my sites, basically generating 100% false positives and blanking out multiple pages of my sites. Something as silly as a script containing $_GET['user']. Rules like these are way too vague/abstract. They restrict a lot and don't block many attacks. It's not like the browser tried to mess with a SESSION var or a COOKIE. It's just a GET parameter... and one that the PHP programmer legitimately wants to use. /end of ranting

 

[Kent Brockman]

Hey there. Same problem here, and the same solution was applied and all is ok now.

The server was installed past weekend and it started showing the same behaviour, so please accelerate the internal ticket so this issue can be addressed asap.

- Apache MPM: worker
- modsec rules: all the natively built-in rules activated

Hope it helps. All the best

 

[cPanelLauren]

Hi @Kent Brockman


Out of curiosity are you running mod_ruid2 on your server? ruid2 and secdatadir collections are incompatible and may explain why this is occurring in both instances noted here.


Thanks!

 

[Kent Brockman]

Out of curiosity are you running mod_ruid2 on your server? ruid2 and secdatadir collections are incompatible and may explain why this is occurring in both instances noted here.

Hi! Nope. I never use that. In case you want a sneak peek, these are the active modules in that EA4:

Apache 2.4

config
config-runtime
mod_bwlimited
mod_cgid
mod_deflate
mod_expires
mod_headers
mod_http2
mod_mpm_worker
mod_proxy
mod_proxy_fcgi
mod_proxy_http
mod_proxy_wstunnel
mod_security2
mod_security2-mlogc
mod_ssl
mod_suexec
mod_unique_id
tools

PHP 7.2

libc-client
pear
php-bcmath
php-bz2
php-calendar
php-cli
php-common
php-curl
php-devel
php-fileinfo
php-fpm
php-ftp
php-gd
php-gettext
php-imap
php-ldap
php-litespeed
php-mbstring
php-mysqlnd
php-opcache
php-pdo
php-posix
php-soap
php-sockets
php-xml
php-xmlrpc
php-zip
runtime

Others

apr
apr-devel
apr-util
apr-util-devel
brotli
cpanel-tools
documentroot
libcurl
libmcrypt
libnghttp2
libxml2
modsec-sdbm-util
nghttp2
openssl
php-cli
php-cli-lsphp
profiles-cpanel

Let me know if you see something odd or possibly incompatible.

 

[cPanelLauren]

Hi @Kent Brockman

Thanks for that, the only instances where I've seen this occur (and researching in tickets as well) is when a custom or 3rd party installation of mod_security is added and mod_ruid2 issues.

In this case based on what you provided I believe the issue is related to an added module of mod_security:

mod_security2-mlogc

This should be fine now though and no further cause for concern.

 

[Kent Brockman]

So, it could be safe to uninstall mod_security2-mlogc? that could be recommended?

 

[cPanelLauren]

Hi @Kent Brockman

It's an addition and not something necessary - you can remove it - this specific item is an audit log collector.

I don't believe removing it will resolve the issue you had initially though.

 

[Kent Brockman]

Ok, I'm uninstalling that component everywhere.

And, as per the original issue, you said there is already an internal ticket to address it, right? Any idea of target release in which this could be solved? cPanel 76-78?

 

[cPanelLauren]

Hi @Kent Brockman

Because this is an issue with incompatibility with certain configurations there's no internal case to resolve it. I looked through our internal ticket system to find related issues. All of them had ruid2 or some other customization added.

As I said before though, removing the module isn't going to fix the issue, the only fix for the issue is to correct the ownership. Once it's fixed it should not occur again.

For others potentially in this situation: In the case of ruid2 being the issue secdatadir collections are not compatible with ruid2.

 

[Kent Brockman]

Ok. The only thing I need clarification for, is: if correcting the ownership of those files will fix the issue, why wouldn't such a correction be implemented as a fix in future releases.

 

[jeffschips]

Ok. The only thing I need clarification for, is: if correcting the ownership of those files will fix the issue, why wouldn't such a correction be implemented as a fix in future releases.

Hi @Benjamin D.

Can you please change the ownership of the global.dir and the global.pag files to nobody UID/GID:

chown nobody:nobody global.pag
chown nobody:nobody global.dir

and let me know if that resolves the issue.

I am having this same problems:
ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/default_SESSION": Permission denied

ls -lah /var/cpanel/secdatadir/
drwxrwx--T. 2 root nobody 4096 Dec 26 18:09 .
drwx--x--x. 103 root root 12288 Dec 26 19:39 ..
-rw-r-----. 1 nobody nobody 4096 Oct 29 19:29 default_SESSION.dir
-rw-r-----. 1 nobody nobody 60416 Dec 5 06:41 default_SESSION.pag
-rw-r-----. 1 nobody nobody 0 May 25 2018 global.dir
-rw-r-----. 1 nobody nobody 0 May 25 2018 global.pag
-rw-r-----. 1 nobody nobody 4096 Dec 26 19:20 ip.dir
-rw-r-----. 1 nobody nobody 3072 Dec 26 19:35 ip.pag

Applying fix suggested here: - Removed -
by changing permissions as:

chmod 777 /var/cpanel/secdatadir/ip*

and restarting httpd doesn't work. Still getting same errors.

If if turn off mod_ruid2 in easy apache4 all my websites break and no access. So I have to have mod_ruid2 on at least until this is resolved.

Any advice?

 

[cPanelLauren]

Hello @jeffschips

This is an incompatibility issue with ruid2 and secdatadir collections or customizations to the mod_sec implementation. Ultimately if you're using ruid2 and can't switch away from it I would suggest disabling the mod_sec customizations or secdatadir collections