headers
Liu, Cindy | 3 Sep 20:43
Picon
Favicon

secondary groups unavailable after chroot

Hello there,

We ran into issues with mod_security, in that the secondary groups
information for the user account that Apache run under is unavailable after
chroot. This can be verified with a "pcred <pid>" call on the child process.

Debugging output with TRUSS showed that the system called: initgroups() is
called after chroot, in which case the /etc/group, /etc/users,
/etc/nsswitch.conf are not accessible anymore.

The current work around requires copying above configuration files, together
with some libraries into the chroot environment in order for it to work
properly.

Suggest a better fix can be made to mod_security code, so that it invokes
initgroups() call prior to chroot?

Thanks,
Cindy

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
Permalink | Reply |
headers
Ivan Ristic | 3 Sep 21:29
Gravatar

Re: secondary groups unavailable after chroot

Liu, Cindy wrote:

> Hello there,
> 
> We ran into issues with mod_security, in that the secondary groups
> information for the user account that Apache run under is unavailable after
> chroot. This can be verified with a "pcred <pid>" call on the child process.
> 
> Debugging output with TRUSS showed that the system called: initgroups() is
> called after chroot, in which case the /etc/group, /etc/users,
> /etc/nsswitch.conf are not accessible anymore.
> 
> The current work around requires copying above configuration files, together
> with some libraries into the chroot environment in order for it to work
> properly.
> 
> Suggest a better fix can be made to mod_security code, so that it invokes
> initgroups() call prior to chroot?

  Hmm, I doubt that will help. The second initgroups() call will
  probably happen anyway and I am pretty sure the process will try
  to read the group information again.

  Still, we can try. But you will have to give me the code you want
  to execute as I am not familiar with what initgroups() does or
  what it is used for. In fact, the code does not have to be a
  part of mod_security anyway. What you can do (or I can do for you,
  it doesn't matter) is write a tiny Apache module that executes
  whatever you need during the initialization phase. The result
  is the same, but this solution is more flexible.
(Continue reading)

Permalink | Reply |

Gmane