Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move log opening to appropriate execution phase #2823

Open
wants to merge 1 commit into
base: v2/master
Choose a base branch
from

Conversation

TomasKorbar
Copy link

When piped logs are opened during parsing of configuration it results in unexpected situations in apache httpd and can cause hang of process which is trying to log into auditlog.

Closes #2822

@martinhsv martinhsv added the 2.x Related to ModSecurity version 2.x label Nov 14, 2022
@martinhsv
Copy link
Contributor

Hello @TomasKorbar ,

There is at least one downside here.

Current functionality means that the attempt to open the audit log file occurs at startup. If it fails -- perhaps because the chosen location is unwriteable -- then Apache will fail to start and the user can see a message like:

ModSecurity: Failed to open the audit log file: /var/log/apache/modsec_audit.log

(As a side note, with these changes I could not see a failure message anywhere, including in Apache's error.log. Perhaps I didn't look carefully enough.)

In general, it's preferable to have configuration errors identified at startup whenever possible.

@TomasKorbar
Copy link
Author

Hi @martinhsv
Log about not accessible file is now present and failure to open log prevents apache from starting.
Let me know if there are any more changes needed.

@TomasKorbar
Copy link
Author

@martinhsv Hi, could we get this merged please? I can provide further help if needed.

apache2/msc_logging.c Outdated Show resolved Hide resolved
@TomasKorbar
Copy link
Author

@martinhsv should be good now.

@eflanagan0
Copy link

@marcstern I've verified this builds correctly on a NixOS system after cherry-picking the commit to v2.7.3. I can also start an Apache/2.4.59 server loading the compiled module.

Copy link

@marcstern marcstern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds sensible, but I wonder why it was handled differently than error logs at first. Does anybody see a potential problem with this fix?

Otherwise, I think it's the right moment to de-duplicate the code between dcfg->auditlog_name & dcfg->auditlog_name2 file opening. Can you use a static function that centralizes the common code?

Additional question (linked to code duplication):
Why do we have pipe_name = dcfg->auditlog_name + 1; and pipe_name = ap_server_root_relative(p, dcfg->auditlog2_name + 1);? Is this normal?

@eflanagan0
Copy link

I realized this PR also will need rebased atop v2/master to incorporate the CI changes and kick off those checks.

When piped logs are opened during parsing of configuration
it results in unexpected situations in apache httpd
and can cause hang of process which is trying to log
into auditlog.

Code should work as before, with the exception of
one additional condition evaluation when primary
audit log is not set and secondary audit log
path to piped executable is now not relative
to server root.
Copy link

@TomasKorbar
Copy link
Author

TomasKorbar commented Oct 11, 2024

@marcstern Hi,
I added static function to deduplicate the code. Also the secondary pipe is now not evaluated relatively to server root, as i think that when you want to enter executable path, it is more useful to just specify absolute path, as the executable does not have to be in the same directory as server.

Please tell me about additional changes if necessary.

@marcstern
Copy link

Using a hook looks indeed cleaner and more consistent with error log. Does anybody see a potential risk with this change?

@airween
Copy link
Member

airween commented Oct 11, 2024

Using a hook looks indeed cleaner and more consistent with error log. Does anybody see a potential risk with this change?

Let me check this a bit later (probably in next few days).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2.x Related to ModSecurity version 2.x Platform - Apache
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants