headers
Thai Duong | 9 May 14:03
Picon

mod_ssl: Child could not open SSLMutex lockfile

Hi guys,

When I chroot my Apache 1.3.x with mod_security, it kept reporting that error. I have searched through this list and found that this error had been reported one but still there is no solution rite?

It seems that this problem only occurs in Apache 1.3, I have sucessfully chroot Apache 2.0 with mod_ssl without any problem before. Here is my modsec.conf which is included at the end of httpd.conf

-----------snip-------------

# Yes, we want to use mod_security
ClearModuleList
AddModule mod_security.c
AddModule mod_env.c
AddModule mod_log_config.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_setenvif.c
AddModule mod_ssl.c
AddModule mod_php4.c
 
SecFilterEngine On
 
SecServerSignature "Microsoft IIS/5.0"
 
SecChrootDir /chroot/jail

---snip------------

Any suggestion?

TIA,
-T

Permalink | Reply |
headers
K Vainstein | 15 Jun 01:09

Re: mod_ssl: Child could not open SSLMutex lockfile

Thai Duong <thaidn <at> gmail.com> writes:

> 
> Hi guys,
> When I chroot my Apache 1.3.x with mod_security, it kept reporting that
> error. I have searched through this list and found that this error had
> been reported one but still there is no solution rite? 
> It seems that this problem only occurs in Apache 1.3, I have
> sucessfully chroot Apache 2.0 with mod_ssl without any problem before.
> Here is my modsec.conf which is included at the end of httpd.conf
> -----------snip-------------
> # Yes, we want to use mod_security
> ClearModuleList
> AddModule mod_security.c
> AddModule ...
> SecFilterEngine On
>  
> SecServerSignature "Microsoft IIS/5.0"
>  
> SecChrootDir /chroot/jail
> ---snip------------
> Any suggestion?
> TIA,
> -T

Our local guru solved this by creating a symbolic link in the chroot jail 
directory, to itself, called the same (magic, don't ask me). So, chroot jail 
directory is /XXX, so we

cd /XXX
ln -s . XXX

It works.

-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Permalink | Reply |
headers
David Fletcher | 12 May 11:23
Picon
Favicon

Re: mod_ssl: Child could not open SSLMutex lockfile

Hi TIA,

I could be on the wrong track, but I think I was getting this error until I
created the directory 

/chroot/apache/usr/local/apache/logs/ssl_scache

where the chroot is to /chroot/apache

If I remember correctly, Apache wants to write there after the chroot has taken
place, by which time it cannot open new files in the log directory in the main
file system. Ensure Apache has write permissions even if the directory
already exists.

It's a while since I had the problem so I could have this wrong, but it might
help.

David

>Subject: [mod-security-users] mod_ssl: Child could not open SSLMutex lockfile
>Reply-To: mod-security-users <at> lists.sourceforge.net
>
>------=_Part_2042_9626190.1115640236279
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: quoted-printable
>Content-Disposition: inline
>
>Hi guys,
>
>When I chroot my Apache 1.3.x with mod_security, it kept reporting that=20
>error. I have searched through this list and found that this error had been=
>=20
>reported one but still there is no solution rite?=20

--

-- 
---------------------------------------
Email david <at> megapico.co.uk
---------------------------------------

-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
Permalink | Reply |
headers
Thai Duong | 12 May 20:22
Picon

Re: Re: mod_ssl: Child could not open SSLMutex lockfile

Hi David,

I have created that directory with a correct permission but it doest work. Anyway, I found a solution, just set SSLMutex directive to none, it works like a charm.

-T


On 5/12/05, David Fletcher <David <at> megapico.co.uk> wrote:
Hi TIA,

I could be on the wrong track, but I think I was getting this error until I
created the directory

/chroot/apache/usr/local/apache/logs/ssl_scache

where the chroot is to /chroot/apache

If I remember correctly, Apache wants to write there after the chroot has taken
place, by which time it cannot open new files in the log directory in the main
file system. Ensure Apache has write permissions even if the directory
already exists.

It's a while since I had the problem so I could have this wrong, but it might
help.

David

>Subject: [mod-security-users] mod_ssl: Child could not open SSLMutex lockfile
>Reply-To: mod-security-users <at> lists.sourceforge.net
>
>------=_Part_2042_9626190.1115640236279
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: quoted-printable
>Content-Disposition: inline
>
>Hi guys,
>
>When I chroot my Apache 1.3.x with mod_security, it kept reporting that=20
>error. I have searched through this list and found that this error had been=
>=20
>reported one but still there is no solution rite?=20

--
---------------------------------------
Email david <at> megapico.co.uk
---------------------------------------

-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Permalink | Reply |
headers
Thai Duong | 13 May 23:52
Picon

Re: Re: mod_ssl: Child could not open SSLMutex lockfile

FYI, I encountered a lot of problems when using mod_security as a static module of both apache 1.3.x and httpd 2.x. Most of the problems are with the mod_ssl module (also compiled statically). mod_ssl complained that it could not open its SSLMutext, and when I set SSLMutext to none, it continued complained that it could not write to the scache directory, which I have created both in the chroot jail and the original path. I also chowned these directories to apache but still no luck. It seems that mod_security is not made to use as a static module/in a static  server (I meant a server that all modules are compiled statically), rite?

-T

On 5/13/05, Thai Duong <thaidn <at> gmail.com> wrote:
Hi David,

I have created that directory with a correct permission but it doest work. Anyway, I found a solution, just set SSLMutex directive to none, it works like a charm.

-T



On 5/12/05, David Fletcher <David <at> megapico.co.uk > wrote:
Hi TIA,

I could be on the wrong track, but I think I was getting this error until I
created the directory

/chroot/apache/usr/local/apache/logs/ssl_scache

where the chroot is to /chroot/apache

If I remember correctly, Apache wants to write there after the chroot has taken
place, by which time it cannot open new files in the log directory in the main
file system. Ensure Apache has write permissions even if the directory
already exists.

It's a while since I had the problem so I could have this wrong, but it might
help.

David

>Subject: [mod-security-users] mod_ssl: Child could not open SSLMutex lockfile
>Reply-To: mod-security-users <at> lists.sourceforge.net
>
>------=_Part_2042_9626190.1115640236279
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: quoted-printable
>Content-Disposition: inline
>
>Hi guys,
>
>When I chroot my Apache 1.3.x with mod_security, it kept reporting that=20
>error. I have searched through this list and found that this error had been=
>=20
>reported one but still there is no solution rite?=20

--
---------------------------------------
Email david <at> megapico.co.uk
---------------------------------------

-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users


Permalink | Reply |
headers
Thai Duong | 13 May 23:53
Picon

Re: Re: mod_ssl: Child could not open SSLMutex lockfile

Sorry, I forgot to mention that problems only occur when I use mod_security's internal chroot mechanism. Without chroot, everything's ok.

On 5/14/05, Thai Duong <thaidn <at> gmail.com> wrote:
FYI, I encountered a lot of problems when using mod_security as a static module of both apache 1.3.x and httpd 2.x. Most of the problems are with the mod_ssl module (also compiled statically). mod_ssl complained that it could not open its SSLMutext, and when I set SSLMutext to none, it continued complained that it could not write to the scache directory, which I have created both in the chroot jail and the original path. I also chowned these directories to apache but still no luck. It seems that mod_security is not made to use as a static module/in a static  server (I meant a server that all modules are compiled statically), rite?

-T


On 5/13/05, Thai Duong < thaidn <at> gmail.com> wrote:
Hi David,

I have created that directory with a correct permission but it doest work. Anyway, I found a solution, just set SSLMutex directive to none, it works like a charm.

-T



On 5/12/05, David Fletcher <David <at> megapico.co.uk > wrote:
Hi TIA,

I could be on the wrong track, but I think I was getting this error until I
created the directory

/chroot/apache/usr/local/apache/logs/ssl_scache

where the chroot is to /chroot/apache

If I remember correctly, Apache wants to write there after the chroot has taken
place, by which time it cannot open new files in the log directory in the main
file system. Ensure Apache has write permissions even if the directory
already exists.

It's a while since I had the problem so I could have this wrong, but it might
help.

David

>Subject: [mod-security-users] mod_ssl: Child could not open SSLMutex lockfile
>Reply-To: mod-security-users <at> lists.sourceforge.net
>
>------=_Part_2042_9626190.1115640236279
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: quoted-printable
>Content-Disposition: inline
>
>Hi guys,
>
>When I chroot my Apache 1.3.x with mod_security, it kept reporting that=20
>error. I have searched through this list and found that this error had been=
>=20
>reported one but still there is no solution rite?=20

--
---------------------------------------
Email david <at> megapico.co.uk
---------------------------------------

-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users



Permalink | Reply |
headers
Ivan Ristic | 23 May 11:43
Gravatar

Re: mod_ssl: Child could not open SSLMutex lockfile


Thai Duong wrote:
> Hi guys,
> 
> When I chroot my Apache 1.3.x with mod_security, it kept reporting that 
> error. I have searched through this list and found that this error had 
> been reported one but still there is no solution rite?
> 
> It seems that this problem only occurs in Apache 1.3, I have sucessfully 
> chroot Apache 2.0 with mod_ssl without any problem before. Here is my 
> modsec.conf which is included at the end of httpd.conf
> 
> -----------snip-------------
> 
> # Yes, we want to use mod_security
> ClearModuleList
> AddModule mod_security.c
> AddModule mod_env.c
> AddModule mod_log_config.c
> AddModule mod_mime.c
> AddModule mod_negotiation.c
> AddModule mod_access.c
> AddModule mod_auth.c
> AddModule mod_setenvif.c
> AddModule mod_ssl.c
> AddModule mod_php4.c
>  
> SecFilterEngine On
>  
> SecServerSignature "Microsoft IIS/5.0"
>  
> SecChrootDir /chroot/jail
> 
> ---snip------------
> 
> Any suggestion?

   Use strace to find out what is mod_ssl trying to do.

   How does your directory structure look like? Show us both, the one
   outside jail and the one in /chroot/jail.

> Anyway, I found a solution, just set SSLMutex directive to none, it
> works like a charm.

   FYI with SSLMutex set to none the SSL session cache can become
   corrupted from time to time.

> FYI, I encountered a lot of problems when using mod_security as a
> static module of both apache 1.3.x and httpd 2.x. Most of the problems
> are with the mod_ssl module (also compiled statically). mod_ssl
> complained that it could not open its SSLMutex, and when I set
> SSLMutext to none, it continued complained that it could not write to
> the scache directory, which I have created both in the chroot jail and
> the original path. I also chowned these directories to apache but
> still no luck. It seems that mod_security is not made to use as a
> static module/in a static  server (I meant a server that all modules
> are compiled statically), rite?

   In my experience, it does not matter if Apache is compiled statically
   or the modules are loaded at runtime. It is only the order of
   initialisation that matters. Consequently, mod_security should work
   equally well in both cases.

   The problems you are experiencing are due to the fact mod_ssl
   needs to work with certain files (the cache files and the mutex)
   after chroot takes place. You simply need a correct directory
   structure for that to happen.

   Again, the use of strace would pinpoint the problem.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
Permalink | Reply |
headers
peceka | 27 May 16:46
Picon

Re: mod_ssl: Child could not open SSLMutex lockfile

Hi Ivan,

I've got this same error (FreeBSD and apache+mod_ssl-1.3.33+2.8.22).

In httpd.conf I've got:

<IfModule mod_security.c>

    SecChrootLock modsec_chroot.lock
    SecChrootDir /usr/chroot/apache

</IfModule>

When I hadn't go SecChrootLock in my /var/log/httpd-error.log i've got:
[Fri May 27 16:14:37 2005] [info] mod_unique_id: using ip 1.2.3.4
[Fri May 27 16:14:38 2005] [error] mod_security: unable to create chroot 
lock "/usr/local/logs/modsec_chroot.lock", errno=2(No such file or 
directory)

even if i've got /usr/local/logs in my /usr/chroot/apache...

So I've added SecChrootLock modsec_chroot.lock and now it's ok.

But returning to main topic ;)

web2# ls -lR /usr/chroot/apache/
total 4
drwxr-xr-x  3 root  wheel  512 May 27 16:08 usr
drwxr-xr-x  3 root  wheel  512 May 27 15:59 var

/usr/chroot/apache/usr:
total 2
drwxr-xr-x  3 root  wheel  512 May 27 16:09 local

/usr/chroot/apache/usr/local:
total 2
drwxr-xr-x  3 root  wheel  512 May 27 16:09 logs

/usr/chroot/apache/usr/local/logs:
total 2
drwxr-xr-x  2 www  www  512 May 27 16:09 ssl_scache

/usr/chroot/apache/usr/local/logs/ssl_scache:
total 0

/usr/chroot/apache/var:
total 2
drwxrwxrwx  2 root  wheel  512 May 27 16:14 run

/usr/chroot/apache/var/run:
total 0

And now after staring Apache i've got in /var/log/httpd-error.log:
[Fri May 27 16:42:56 2005] [info] mod_unique_id: using ip addr 1.2.3.4
[Fri May 27 16:42:57 2005] [notice] mod_security: chroot checkpoint #1 
(pid=4068 ppid=4061)
[Fri May 27 16:42:57 2005] [info] (2)No such file or directory: 
make_sock: for port 443, setsockopt: (SO_ACCEPTFILTER)
[Fri May 27 16:42:57 2005] [info] (2)No such file or directory: 
make_sock: for port 80, setsockopt: (SO_ACCEPTFILTER)
[Fri May 27 16:42:57 2005] [warn] pid file /var/run/httpd.pid 
overwritten -- Unclean shutdown of previous Apache run?
[Fri May 27 16:42:57 2005] [info] mod_unique_id: using ip addr 1.2.3.4
[Fri May 27 16:42:58 2005] [notice] mod_security: chroot checkpoint #2 
(pid=4069 ppid=1)
[Fri May 27 16:42:58 2005] [notice] mod_security: chroot successful, 
path=/usr/chroot/apache
[Fri May 27 16:42:58 2005] [notice] Microsoft-IIS/5.0 configured -- 
resuming normal operations
[Fri May 27 16:42:58 2005] [error] mod_ssl: Child could not open 
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:42:58 2005] [error] mod_ssl: Child could not open 
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:42:58 2005] [error] mod_ssl: Child could not open 
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:42:58 2005] [error] mod_ssl: Child could not open 
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:42:58 2005] [error] mod_ssl: Child could not open 
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:42:58 2005] [info] Server built: May  8 2005 08:16:10
[Fri May 27 16:42:58 2005] [error] System: No such file or directory 
(errno: 2)
[Fri May 27 16:42:58 2005] [error] System: No such file or directory 
(errno: 2)
[Fri May 27 16:42:58 2005] [error] System: No such file or directory 
(errno: 2)
[Fri May 27 16:42:58 2005] [error] System: No such file or directory 
(errno: 2)
[Fri May 27 16:42:58 2005] [error] System: No such file or directory 
(errno: 2)
[Fri May 27 16:42:58 2005] [notice] Accept mutex: flock (Default: flock)
[Fri May 27 16:42:59 2005] [error] mod_ssl: Child could not open 
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:42:59 2005] [error] System: No such file or directory 
(errno: 2)
[Fri May 27 16:43:00 2005] [error] mod_ssl: Child could not open 
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:43:00 2005] [error] mod_ssl: Child could not open 
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)
[Fri May 27 16:43:00 2005] [error] System: No such file or directory 
(errno: 2)
[Fri May 27 16:43:00 2005] [error] System: No such file or directory 
(errno: 2)
[Fri May 27 16:43:01 2005] [error] mod_ssl: Child could not open 
SSLMutex lockfile /var/run/ssl_mutex.4068 (System error follows)

I think that i've got correct directory structure and Apache have got 
perm to write in dirs...

Best Regards,
p.

-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
Permalink | Reply |
headers
Ivan Ristic | 27 May 18:54
Gravatar

Re: Re: mod_ssl: Child could not open SSLMutex lockfile

peceka wrote:
> Hi Ivan,

> I've got this same error (FreeBSD and apache+mod_ssl-1.3.33+2.8.22).

   OK, I have figured it out. But first here's a step-by-step guide
   that I've always been using and that always worked:

   I've just made a fresh install of Apache 1.3.33 + mod_ssl
   mod_ssl-2.8.22-1.3.33 + mod_security 1.8.7. Here is what I did:

---
tar zxvf apache_1.3.33.tar.gz
tar zxvf mod_ssl-2.8.22-1.3.33.tar.gz
tar zxvf modsecurity-1.8.7.tar.gz

cd mod_ssl-2.8.22-1.3.33
./configure --with-apache=../apache_1.3.33

cd ../cd apache_1.3.33
./configure \
--prefix=/usr/local/apache \
--enable-module=ssl \
--enable-module=so

make
make certificate
make install

/usr/local/apache/bin/apachectl startssl

[Made sure Apache + SSL works]

/usr/local/apache/bin/apachectl stop

cd /usr/local/src/modsecurity-1.8.7/apache1/
/usr/local/apache/bin/apxs -cia mod_security.c

[Added SecChrootDir /chroot/apache to the end of httpd.conf]

mkdir -p /chroot/apache/usr/local
cd /usr/local
mv apache /chroot/apache/usr/local
ln -s /chroot/apache/usr/local/apache

/usr/local/apache/bin/apachectl startssl

[Woohoo!]

---

Anyway, back to the problem. It appears that mod_ssl creates the 
lockfile before the chroot takes place, closes it, and then wants to 
open it again later, after the chroot. It's not smart enough to create a 
new lock file if it doesn't find one. So if you are attempting to create 
an Apache jail that leaves its logs/ folder outside you get the error 
message. There are two solutions:

1) Easy - use "SSLMutex sem"
2) Dirty - move the logs/ folder into the jail, and create a symlink
            to it from the outside (like I did with the main Apache
            folder in the example above). It is not necessary to move
            all logs into the jail - you can tell mod_ssl (using
            SSLMutex file:/xxx) to place the mutex files somewhere else.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
Permalink | Reply |

Gmane