'Re: [mod-security-users] Re: mod_ssl: Child could not open SSLMutex'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mod-security-users
Subject:    Re: [mod-security-users] Re: mod_ssl: Child could not open SSLMutex
From:       Ivan Ristic <ivanr () webkreator ! com>
Date:       2005-05-27 16:54:18
Message-ID: 429750BA.3000709 () webkreator ! com
[Download RAW message or body]

peceka wrote:
> Hi Ivan,

> I've got this same error (FreeBSD and apache+mod_ssl-1.3.33+2.8.22).

   OK, I have figured it out. But first here's a step-by-step guide
   that I've always been using and that always worked:

   I've just made a fresh install of Apache 1.3.33 + mod_ssl
   mod_ssl-2.8.22-1.3.33 + mod_security 1.8.7. Here is what I did:

---
tar zxvf apache_1.3.33.tar.gz
tar zxvf mod_ssl-2.8.22-1.3.33.tar.gz
tar zxvf modsecurity-1.8.7.tar.gz

cd mod_ssl-2.8.22-1.3.33
./configure --with-apache=../apache_1.3.33

cd ../cd apache_1.3.33
./configure \
--prefix=/usr/local/apache \
--enable-module=ssl \
--enable-module=so

make
make certificate
make install

/usr/local/apache/bin/apachectl startssl

[Made sure Apache + SSL works]

/usr/local/apache/bin/apachectl stop

cd /usr/local/src/modsecurity-1.8.7/apache1/
/usr/local/apache/bin/apxs -cia mod_security.c

[Added SecChrootDir /chroot/apache to the end of httpd.conf]

mkdir -p /chroot/apache/usr/local
cd /usr/local
mv apache /chroot/apache/usr/local
ln -s /chroot/apache/usr/local/apache

/usr/local/apache/bin/apachectl startssl

[Woohoo!]

---

Anyway, back to the problem. It appears that mod_ssl creates the 
lockfile before the chroot takes place, closes it, and then wants to 
open it again later, after the chroot. It's not smart enough to create a 
new lock file if it doesn't find one. So if you are attempting to create 
an Apache jail that leaves its logs/ folder outside you get the error 
message. There are two solutions:

1) Easy - use "SSLMutex sem"
2) Dirty - move the logs/ folder into the jail, and create a symlink
            to it from the outside (like I did with the main Apache
            folder in the example above). It is not necessary to move
            all logs into the jail - you can tell mod_ssl (using
            SSLMutex file:/xxx) to place the mutex files somewhere else.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org


-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic