Re: [peruser] peruser, mod_security and chroot

Wed, 20 Aug 2008 06:00:12 -0700 


pete wrote:
> Hello,
>
> Anybody running peruser with mod_security?
>
> Im having strange issue with this combo.
> I guess it has something todo with peruser.
> My error_log(s) are filling with "global mutex - permission denied".
> Still it looks like every site running on this server is working properly.
> So its not fatal, but i dont like that error :)
>
> -------------------------------------------------------------------------------------------
> [Wed Aug 20 14:47:26 2008] [error] [client 192.194.76.43] ModSecurity: 
> Audit log: Failed to lock global mutex: Permission denied [hostname 
> "www.domain.info"] [uri "/keskustelu/index.php"] [unique_id 
> "xLRtEX8AAAEAAG8gaOkAAAFl"]
> [Wed Aug 20 14:47:26 2008] [error] [client 192.194.76.43] ModSecurity: 
> Audit log: Failed to unlock global mutex: Permission denied [hostname 
> "www.domain.info"] [uri "/keskustelu/index.php"] [unique_id 
> "xLRtEX8AAAEAAG8gaOkAAAFl"]
> -------------------------------------------------------------------------------------------
>
> Other part of this message I would like to ask about chroot capabilities 
> inside peruser. Is anyone using this feature in production?
>
> I try it quickly but it of course want /bin /etc so on.
> Anybody have good list about files it needs?
>   
You can just add a base install; that will have all files it wants at 
least. And without sensitive data.
Note that you might also want to install php (etc) to that chroot, 
because it depends on it's own libs ;)
> Sites actually working good, but it need at least /etc/hosts.
>   
I think it want /etc/resolv.conf even more ;)
> And it looks like it does not support DNS at all. I guess it need some 
> shared lib?
>
> Is there anyway to go around mysqld.sock errors.
> that sock of course is in /var/run/mysql and after chroot user has no 
> right to go outside chroot. I could do hard-link, but every time i reboot 
> apache i needed todo that hard-link again. Not an option :/
>   
Can't you add the hardlink commands to the mysqld (not apache ;)) 
startup scripts ?
> All other hints are welcome also.
>
> Thanks! :)
>
> Regards,
> Pete
> _______________________________________________
> Peruser mailing list
> [email protected]
> http://www.telana.com/mailman/listinfo/peruser
>   
_______________________________________________
Peruser mailing list
[email protected]
http://www.telana.com/mailman/listinfo/peruser






















					Reply via email to