ModSecurity DBM file access errors

[AM2015]

My ModSecurity audit log fills up with errors that look like this:

Message: collections_remove_stale: Failed to access DBM file "/tmp/global": Permission denied
Message: collections_remove_stale: Failed to access DBM file "/tmp/ip": Permission denied

I have seen other threads on this, but some are quite old and it's hard for me to sort out what applies to my current setup.

Running CPanel/WHM v. 78x on a Centos 6 system, along with Comodo CWAF Mod Security Rules.

I've noticed that the DBM files in the /tmp directory have ownership assigned to a particular user (the primary or largest user on the system) -- and the errors seem to be generated whenever a site belonging to a different user is involved. So I'm guessing it is a file ownership / permissions problem, but I don't know how to go about fixing it.

Everything seems to be functioning ok. I only discovered this after doing some other cleanup and realizing that both the ip.pag files and the modsecurity audit log files were quite large.

 

[cPanelLauren]

In a lot of cases this is related to running mod_ruid2 which is incompatible with SecDataDir collections are you running mod_ruid2 on this server?

 

[marcuszan]

Hi,
modsec is updated to v2.9.3
On their site they state this solves incompatibility issues with mod_ruid2
Permission problems using Apache2 MPM ITK · Issue #712 · SpiderLabs/ModSecurity

However when I do a

tail -100 /usr/local/apache/logs/error_log

I still get errors like :

ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/cpaneluser-global": Read-only file system

Anyone also still has these issues after the v2.9.3 modsec update ?

Thanks

 

[marcuszan]

any update on this or any fix ?
thanks

 

[cPanelLauren]

We have another ongoing thread in relation to this as well here: https://forums.cpanel.net/threads/modsecurity-not-working.654863/ one of the users in this instance has opened a ticket that is being worked currently though your issue is a bit different in that the error is a little alarming:

Failed to access DBM file "/var/cpanel/secdatadir/cpaneluser-global": Read-only file system

It's not a permission denied error as I would anticipate but a Read-only file system error. Can you run the following:

stat /var/cpanel/secdatadir/
stat /var/cpanel/secdatadir/*

 

[marcuszan]

Hi Lauren,

First of all, thanks for you reply.

As I removed the secdatadir/ and reinstalled modsec to debug some of this issues myself, or at least try to, the results might be a bit ' off ' regarding the datestamp of the files/folders

I have tried to disable rules, set perm to 777 ( including the fix to have this done by cpanel hook and crontab to restore after cpanel update check etc.. )
I also tried to chown the secdatadir/

No luck. I did get beyond the permission denied and ended up with 'read only' filesystem as the best result.


Emtying the complete /secdatadir and disabling modruid results in the creation of the new files in /secdatadir/
modsec runs errorless then. After enabling modruid, the erros show up again in apache error logs.

Disabling some rules in modsec in WHM didnt help for me.

[[email protected] ~]# stat /var/cpanel/secdatadir/
  File: ‘/var/cpanel/secdatadir/’
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 903h/2307d      Inode: 939199      Links: 2
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (   99/  nobody)
Access: 2019-06-12 04:57:11.005561845 -0400
Modify: 2019-06-12 04:56:41.955959060 -0400
Change: 2019-06-12 04:56:41.955959060 -0400
 Birth: -

for the second command..

[[email protected] ~]#
stat /var/cpanel/secdatadir/*
  File: ‘/var/cpanel/secdatadir/cpaneluser1-global.dir’
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 903h/2307d      Inode: 951329      Links: 1
Access: (0640/-rw-r-----)  Uid: ( 1011/  cpaneluser1)   Gid: ( 1013/  cpaneluser1)
Access: 2019-06-12 04:42:00.162796784 -0400
Modify: 2019-06-12 04:42:00.162796784 -0400
Change: 2019-06-12 04:42:00.162796784 -0400
 Birth: -
  File: ‘/var/cpanel/secdatadir/cpaneluser1-global.pag’
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 903h/2307d      Inode: 951331      Links: 1
Access: (0640/-rw-r-----)  Uid: ( 1011/  cpaneluser1)   Gid: ( 1013/  cpaneluser1)
Access: 2019-06-12 04:42:00.162796784 -0400
Modify: 2019-06-12 04:42:00.162796784 -0400
Change: 2019-06-12 04:42:00.162796784 -0400
 Birth: -
  File: ‘/var/cpanel/secdatadir/cpaneluser1-ip.dir’
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 903h/2307d      Inode: 951334      Links: 1
Access: (0640/-rw-r-----)  Uid: ( 1011/  cpaneluser1)   Gid: ( 1013/  cpaneluser1)
Access: 2019-06-12 04:42:00.162796784 -0400
Modify: 2019-06-12 04:42:00.162796784 -0400
Change: 2019-06-12 04:42:00.162796784 -0400
 Birth: -
  File: ‘/var/cpanel/secdatadir/cpaneluser1-ip.pag’
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 903h/2307d      Inode: 951337      Links: 1
Access: (0640/-rw-r-----)  Uid: ( 1011/  cpaneluser1)   Gid: ( 1013/  cpaneluser1)
Access: 2019-06-12 04:42:00.162796784 -0400
Modify: 2019-06-12 04:42:00.162796784 -0400
Change: 2019-06-12 04:42:00.162796784 -0400
 Birth: -

 

[cPanelLauren]

Does the issue persist with mod_ruid2 removed? We did open a case with them today due to persisting issues with the use of ruid2 on version 2.9.3

 

[marcuszan]

When mod_ruid2 removed ( or even when jailed apache is disabled ) , issue is solved. So it is 100% mod_ruid2 related on my server

 

[cPanelLauren]

Hi @marcuszan

Then, in that case, It's definitely related to the case we opened with ModSecurity yesterday which is variable check/comparison isn't working in ruid2 · Issue #2117 · SpiderLabs/ModSecurity

It looks like their patch for ruid2/ITK compatibility is still experiencing issues.

 

[marcuszan]

Hi @cPanelLauren ,

I do see this in the case you mention :
ModSecurity version (and connector): ea-apache24-mod_security2-2.9.2-11.el7.cloudlinux.x86_64

I am using v2.9.3 instead of the v2.9.2

 

[cPanelLauren]

That's in reference to the testing server that was used to show how it works on 2.9.2 compared to 2.9.3 - this is definitely an issue with 2.9.3

We're going to get that clarified in the case as well.

 

[cetiner]

I use OWASP ModSecurity Core Rule Set ver.3.0.2 and have still the ModSecurity DBM file access errors.

Using mod_ruid2.

Did we have an solution for it right now ?

 

[cPanelLauren]

Hello @cetiner

This is still unresolved, as of now in order to properly utilize rules that use SecDataDir collections you'll need to remove mod_ruid2

 

[cetiner]

Hello @cPanelLauren

if I remove mod_ruid2 than I'm not able to use the jailed shells, right?

Which of the both security possibilities do you prefer to use?
Shell access is on my server available just in wordpress plans....
But on the other side the bad guys outside dont sleep and try to find security holes around the clock with theyr attacking softwares.

The mod_sec logfiles are full of theyr tries. Brrrrr

 

[cPanelLauren]

You can still use Jailed shells, you just wouldn't be using mod_ruid2 and cPanel Jailshell to do so. Specifically this option:

EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell. 
If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel® jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts. Reading /proc/mounts can be quite expensive when it becomes large.

Jailshell and cPanel Jailshell are both still viable options.

 

[marcuszan]

You can still use Jailed shells, you just wouldn't be using mod_ruid2 and cPanel Jailshell to do so. Specifically this option:

EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell.
If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel® jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts. Reading /proc/mounts can be quite expensive when it becomes large.

Jailshell and cPanel Jailshell are both still viable options.

So when I leave modruid2 installed as module, but disable the setting in Tweaks > EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell.

Then I can still manually set all shell access to 'jail' or 'disabled' per user.
Will this work as symlink protection ?

Thanks

 

[marcuszan]

Hi, any update on this ? Thanks

 

[cPanelLauren]

Hello,

I think the documentation here is useful:

VirtFS - Jailed Shell - Version 82 Documentation - cPanel Documentation

documentation.cpanel.net

Jailed shell restricts access for a user to its home directory - symlinks outside of the user's home directory would not function if that's what you're referring to.

 

[marcuszan]

Thanks. To be specific, what I dont fully understand.
When I disable 'experimental jailed shell' in " tweak settings " I will get the message in 'security advisor' I am not protected against symlink attack becasue 'jailed Apache ' is not enabled.
But in this situation with the experimental setting disabled, I can still have ' shell disabled ' in the ' manage shell access' settings.

Do I have any kind of protection against symlink in this situation ?

thanks

 

[cPanelLauren]

The setting is detailed here: Tweak Settings - Version 84 Documentation - cPanel Documentation under the security tab.

This will provide symlink protection because of the way it segments the VirtualHosts. Keep in mind this is an experimental feature.

The part I think may be confusing is the explanation of the bind mounts here:

If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel® jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts. Reading /proc/mounts can be quite expensive when it becomes large.

This is just detailing that each user set to Jailshell or noshell will have 14 bind mounts and if you have a large number of bind mounts it can become resource intensive.

But in this situation with the experimental setting disabled, I can still have ' shell disabled ' in the ' manage shell access' settings.

Do I have any kind of protection against symlink in this situation ?

With it disabled and without external symlink protection like Kernelcare's free symlink patch - no you do not.