ModSecurity DBM file access errors

AM2015

Active Member
Jan 1, 2015
30
4
8
cPanel Access Level
Root Administrator
My ModSecurity audit log fills up with errors that look like this:

Message: collections_remove_stale: Failed to access DBM file "/tmp/global": Permission denied
Message: collections_remove_stale: Failed to access DBM file "/tmp/ip": Permission denied

I have seen other threads on this, but some are quite old and it's hard for me to sort out what applies to my current setup.

Running CPanel/WHM v. 78x on a Centos 6 system, along with Comodo CWAF Mod Security Rules.

I've noticed that the DBM files in the /tmp directory have ownership assigned to a particular user (the primary or largest user on the system) -- and the errors seem to be generated whenever a site belonging to a different user is involved. So I'm guessing it is a file ownership / permissions problem, but I don't know how to go about fixing it.

Everything seems to be functioning ok. I only discovered this after doing some other cleanup and realizing that both the ip.pag files and the modsecurity audit log files were quite large.
 

marcuszan

Well-Known Member
Apr 19, 2018
57
4
8
Netherlands
cPanel Access Level
Root Administrator
Hi,
modsec is updated to v2.9.3
On their site they state this solves incompatibility issues with mod_ruid2
Permission problems using Apache2 MPM ITK · Issue #712 · SpiderLabs/ModSecurity

However when I do a
Code:
tail -100 /usr/local/apache/logs/error_log
I still get errors like :
Code:
ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/cpaneluser-global": Read-only file system
Anyone also still has these issues after the v2.9.3 modsec update ?

Thanks
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,126
667
263
Houston
cPanel Access Level
DataCenter Provider
We have another ongoing thread in relation to this as well here: https://forums.cpanel.net/threads/modsecurity-not-working.654863/ one of the users in this instance has opened a ticket that is being worked currently though your issue is a bit different in that the error is a little alarming:

Code:
Failed to access DBM file "/var/cpanel/secdatadir/cpaneluser-global": Read-only file system
It's not a permission denied error as I would anticipate but a Read-only file system error. Can you run the following:

Code:
stat /var/cpanel/secdatadir/
stat /var/cpanel/secdatadir/*
 
  • Like
Reactions: marcuszan

marcuszan

Well-Known Member
Apr 19, 2018
57
4
8
Netherlands
cPanel Access Level
Root Administrator
Hi Lauren,

First of all, thanks for you reply.

As I removed the secdatadir/ and reinstalled modsec to debug some of this issues myself, or at least try to, the results might be a bit ' off ' regarding the datestamp of the files/folders

I have tried to disable rules, set perm to 777 ( including the fix to have this done by cpanel hook and crontab to restore after cpanel update check etc.. )
I also tried to chown the secdatadir/

No luck. I did get beyond the permission denied and ended up with 'read only' filesystem as the best result.


Emtying the complete /secdatadir and disabling modruid results in the creation of the new files in /secdatadir/
modsec runs errorless then. After enabling modruid, the erros show up again in apache error logs.

Disabling some rules in modsec in WHM didnt help for me.


Code:
[[email protected] ~]# stat /var/cpanel/secdatadir/
  File: ‘/var/cpanel/secdatadir/’
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 903h/2307d      Inode: 939199      Links: 2
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (   99/  nobody)
Access: 2019-06-12 04:57:11.005561845 -0400
Modify: 2019-06-12 04:56:41.955959060 -0400
Change: 2019-06-12 04:56:41.955959060 -0400
 Birth: -
for the second command..
Code:
[[email protected] ~]#
stat /var/cpanel/secdatadir/*
  File: ‘/var/cpanel/secdatadir/cpaneluser1-global.dir’
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 903h/2307d      Inode: 951329      Links: 1
Access: (0640/-rw-r-----)  Uid: ( 1011/  cpaneluser1)   Gid: ( 1013/  cpaneluser1)
Access: 2019-06-12 04:42:00.162796784 -0400
Modify: 2019-06-12 04:42:00.162796784 -0400
Change: 2019-06-12 04:42:00.162796784 -0400
 Birth: -
  File: ‘/var/cpanel/secdatadir/cpaneluser1-global.pag’
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 903h/2307d      Inode: 951331      Links: 1
Access: (0640/-rw-r-----)  Uid: ( 1011/  cpaneluser1)   Gid: ( 1013/  cpaneluser1)
Access: 2019-06-12 04:42:00.162796784 -0400
Modify: 2019-06-12 04:42:00.162796784 -0400
Change: 2019-06-12 04:42:00.162796784 -0400
 Birth: -
  File: ‘/var/cpanel/secdatadir/cpaneluser1-ip.dir’
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 903h/2307d      Inode: 951334      Links: 1
Access: (0640/-rw-r-----)  Uid: ( 1011/  cpaneluser1)   Gid: ( 1013/  cpaneluser1)
Access: 2019-06-12 04:42:00.162796784 -0400
Modify: 2019-06-12 04:42:00.162796784 -0400
Change: 2019-06-12 04:42:00.162796784 -0400
 Birth: -
  File: ‘/var/cpanel/secdatadir/cpaneluser1-ip.pag’
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 903h/2307d      Inode: 951337      Links: 1
Access: (0640/-rw-r-----)  Uid: ( 1011/  cpaneluser1)   Gid: ( 1013/  cpaneluser1)
Access: 2019-06-12 04:42:00.162796784 -0400
Modify: 2019-06-12 04:42:00.162796784 -0400
Change: 2019-06-12 04:42:00.162796784 -0400
 Birth: -
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,126
667
263
Houston
cPanel Access Level
DataCenter Provider
  • Like
Reactions: marcuszan

cetiner

Active Member
Dec 24, 2018
26
3
3
turkey
cPanel Access Level
Root Administrator
I use OWASP ModSecurity Core Rule Set ver.3.0.2 and have still the ModSecurity DBM file access errors.

Using mod_ruid2.

Did we have an solution for it right now ?
 

cetiner

Active Member
Dec 24, 2018
26
3
3
turkey
cPanel Access Level
Root Administrator
Hello @cPanelLauren

if I remove mod_ruid2 than I'm not able to use the jailed shells, right?

Which of the both security possibilities do you prefer to use?
Shell access is on my server available just in wordpress plans....
But on the other side the bad guys outside dont sleep and try to find security holes around the clock with theyr attacking softwares.

The mod_sec logfiles are full of theyr tries. Brrrrr
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,126
667
263
Houston
cPanel Access Level
DataCenter Provider
You can still use Jailed shells, you just wouldn't be using mod_ruid2 and cPanel Jailshell to do so. Specifically this option:

Code:
EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell. 
If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel® jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts. Reading /proc/mounts can be quite expensive when it becomes large.
Jailshell and cPanel Jailshell are both still viable options.
 

marcuszan

Well-Known Member
Apr 19, 2018
57
4
8
Netherlands
cPanel Access Level
Root Administrator
You can still use Jailed shells, you just wouldn't be using mod_ruid2 and cPanel Jailshell to do so. Specifically this option:

Code:
EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell.
If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel® jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts. Reading /proc/mounts can be quite expensive when it becomes large.
Jailshell and cPanel Jailshell are both still viable options.
So when I leave modruid2 installed as module, but disable the setting in Tweaks > EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell.

Then I can still manually set all shell access to 'jail' or 'disabled' per user.
Will this work as symlink protection ?

Thanks
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,126
667
263
Houston
cPanel Access Level
DataCenter Provider

marcuszan

Well-Known Member
Apr 19, 2018
57
4
8
Netherlands
cPanel Access Level
Root Administrator
Thanks. To be specific, what I dont fully understand.
When I disable 'experimental jailed shell' in " tweak settings " I will get the message in 'security advisor' I am not protected against symlink attack becasue 'jailed Apache ' is not enabled.
But in this situation with the experimental setting disabled, I can still have ' shell disabled ' in the ' manage shell access' settings.

Do I have any kind of protection against symlink in this situation ?

thanks
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,126
667
263
Houston
cPanel Access Level
DataCenter Provider
The setting is detailed here: Tweak Settings - Version 84 Documentation - cPanel Documentation under the security tab.

This will provide symlink protection because of the way it segments the VirtualHosts. Keep in mind this is an experimental feature.

The part I think may be confusing is the explanation of the bind mounts here:

If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel® jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts. Reading /proc/mounts can be quite expensive when it becomes large.
This is just detailing that each user set to Jailshell or noshell will have 14 bind mounts and if you have a large number of bind mounts it can become resource intensive.

But in this situation with the experimental setting disabled, I can still have ' shell disabled ' in the ' manage shell access' settings.

Do I have any kind of protection against symlink in this situation ?
With it disabled and without external symlink protection like Kernelcare's free symlink patch - no you do not.
 
  • Like
Reactions: marcuszan