Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

ModSecurity DBM file access errors

Discussion in 'Security' started by AM2015, Apr 28, 2019.

  1. AM2015

    AM2015 Active Member

    Joined:
    Jan 1, 2015
    Messages:
    30
    Likes Received:
    4
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    My ModSecurity audit log fills up with errors that look like this:

    Message: collections_remove_stale: Failed to access DBM file "/tmp/global": Permission denied
    Message: collections_remove_stale: Failed to access DBM file "/tmp/ip": Permission denied

    I have seen other threads on this, but some are quite old and it's hard for me to sort out what applies to my current setup.

    Running CPanel/WHM v. 78x on a Centos 6 system, along with Comodo CWAF Mod Security Rules.

    I've noticed that the DBM files in the /tmp directory have ownership assigned to a particular user (the primary or largest user on the system) -- and the errors seem to be generated whenever a site belonging to a different user is involved. So I'm guessing it is a file ownership / permissions problem, but I don't know how to go about fixing it.

    Everything seems to be functioning ok. I only discovered this after doing some other cleanup and realizing that both the ip.pag files and the modsecurity audit log files were quite large.
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,124
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    In a lot of cases this is related to running mod_ruid2 which is incompatible with SecDataDir collections are you running mod_ruid2 on this server?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. marcuszan

    marcuszan Well-Known Member

    Joined:
    Apr 19, 2018
    Messages:
    48
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hi,
    modsec is updated to v2.9.3
    On their site they state this solves incompatibility issues with mod_ruid2
    Permission problems using Apache2 MPM ITK · Issue #712 · SpiderLabs/ModSecurity

    However when I do a
    Code:
    tail -100 /usr/local/apache/logs/error_log
    
    I still get errors like :
    Code:
    ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/cpaneluser-global": Read-only file system
    Anyone also still has these issues after the v2.9.3 modsec update ?

    Thanks
     
  4. marcuszan

    marcuszan Well-Known Member

    Joined:
    Apr 19, 2018
    Messages:
    48
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    any update on this or any fix ?
    thanks
     
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,124
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    We have another ongoing thread in relation to this as well here: https://forums.cpanel.net/threads/modsecurity-not-working.654863/ one of the users in this instance has opened a ticket that is being worked currently though your issue is a bit different in that the error is a little alarming:

    Code:
    Failed to access DBM file "/var/cpanel/secdatadir/cpaneluser-global": Read-only file system
    It's not a permission denied error as I would anticipate but a Read-only file system error. Can you run the following:

    Code:
    stat /var/cpanel/secdatadir/
    stat /var/cpanel/secdatadir/*
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    marcuszan likes this.
  6. marcuszan

    marcuszan Well-Known Member

    Joined:
    Apr 19, 2018
    Messages:
    48
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hi Lauren,

    First of all, thanks for you reply.

    As I removed the secdatadir/ and reinstalled modsec to debug some of this issues myself, or at least try to, the results might be a bit ' off ' regarding the datestamp of the files/folders

    I have tried to disable rules, set perm to 777 ( including the fix to have this done by cpanel hook and crontab to restore after cpanel update check etc.. )
    I also tried to chown the secdatadir/

    No luck. I did get beyond the permission denied and ended up with 'read only' filesystem as the best result.


    Emtying the complete /secdatadir and disabling modruid results in the creation of the new files in /secdatadir/
    modsec runs errorless then. After enabling modruid, the erros show up again in apache error logs.

    Disabling some rules in modsec in WHM didnt help for me.


    Code:
    [root@server ~]# stat /var/cpanel/secdatadir/
      File: ‘/var/cpanel/secdatadir/’
      Size: 4096            Blocks: 8          IO Block: 4096   directory
    Device: 903h/2307d      Inode: 939199      Links: 2
    Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (   99/  nobody)
    Access: 2019-06-12 04:57:11.005561845 -0400
    Modify: 2019-06-12 04:56:41.955959060 -0400
    Change: 2019-06-12 04:56:41.955959060 -0400
     Birth: -
    for the second command..
    Code:
    [root@server ~]#
    stat /var/cpanel/secdatadir/*
      File: ‘/var/cpanel/secdatadir/cpaneluser1-global.dir’
      Size: 0               Blocks: 0          IO Block: 4096   regular empty file
    Device: 903h/2307d      Inode: 951329      Links: 1
    Access: (0640/-rw-r-----)  Uid: ( 1011/  cpaneluser1)   Gid: ( 1013/  cpaneluser1)
    Access: 2019-06-12 04:42:00.162796784 -0400
    Modify: 2019-06-12 04:42:00.162796784 -0400
    Change: 2019-06-12 04:42:00.162796784 -0400
     Birth: -
      File: ‘/var/cpanel/secdatadir/cpaneluser1-global.pag’
      Size: 0               Blocks: 0          IO Block: 4096   regular empty file
    Device: 903h/2307d      Inode: 951331      Links: 1
    Access: (0640/-rw-r-----)  Uid: ( 1011/  cpaneluser1)   Gid: ( 1013/  cpaneluser1)
    Access: 2019-06-12 04:42:00.162796784 -0400
    Modify: 2019-06-12 04:42:00.162796784 -0400
    Change: 2019-06-12 04:42:00.162796784 -0400
     Birth: -
      File: ‘/var/cpanel/secdatadir/cpaneluser1-ip.dir’
      Size: 0               Blocks: 0          IO Block: 4096   regular empty file
    Device: 903h/2307d      Inode: 951334      Links: 1
    Access: (0640/-rw-r-----)  Uid: ( 1011/  cpaneluser1)   Gid: ( 1013/  cpaneluser1)
    Access: 2019-06-12 04:42:00.162796784 -0400
    Modify: 2019-06-12 04:42:00.162796784 -0400
    Change: 2019-06-12 04:42:00.162796784 -0400
     Birth: -
      File: ‘/var/cpanel/secdatadir/cpaneluser1-ip.pag’
      Size: 0               Blocks: 0          IO Block: 4096   regular empty file
    Device: 903h/2307d      Inode: 951337      Links: 1
    Access: (0640/-rw-r-----)  Uid: ( 1011/  cpaneluser1)   Gid: ( 1013/  cpaneluser1)
    Access: 2019-06-12 04:42:00.162796784 -0400
    Modify: 2019-06-12 04:42:00.162796784 -0400
    Change: 2019-06-12 04:42:00.162796784 -0400
     Birth: -
    
     
  7. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,124
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Does the issue persist with mod_ruid2 removed? We did open a case with them today due to persisting issues with the use of ruid2 on version 2.9.3
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. marcuszan

    marcuszan Well-Known Member

    Joined:
    Apr 19, 2018
    Messages:
    48
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    When mod_ruid2 removed ( or even when jailed apache is disabled ) , issue is solved. So it is 100% mod_ruid2 related on my server
     
  9. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,124
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    marcuszan likes this.
  10. marcuszan

    marcuszan Well-Known Member

    Joined:
    Apr 19, 2018
    Messages:
    48
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hi @cPanelLauren ,

    I do see this in the case you mention :
    ModSecurity version (and connector): ea-apache24-mod_security2-2.9.2-11.el7.cloudlinux.x86_64

    I am using v2.9.3 instead of the v2.9.2
     
  11. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,124
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    That's in reference to the testing server that was used to show how it works on 2.9.2 compared to 2.9.3 - this is definitely an issue with 2.9.3

    We're going to get that clarified in the case as well.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    marcuszan likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice