Re: secondary groups unavailable after chroot

Liu, Cindy wrote:

> Hello there,
> 
> We ran into issues with mod_security, in that the secondary groups
> information for the user account that Apache run under is unavailable after
> chroot. This can be verified with a "pcred <pid>" call on the child process.
> 
> Debugging output with TRUSS showed that the system called: initgroups() is
> called after chroot, in which case the /etc/group, /etc/users,
> /etc/nsswitch.conf are not accessible anymore.
> 
> The current work around requires copying above configuration files, together
> with some libraries into the chroot environment in order for it to work
> properly.
> 
> Suggest a better fix can be made to mod_security code, so that it invokes
> initgroups() call prior to chroot?

  Hmm, I doubt that will help. The second initgroups() call will
  probably happen anyway and I am pretty sure the process will try
  to read the group information again.

  Still, we can try. But you will have to give me the code you want
  to execute as I am not familiar with what initgroups() does or
  what it is used for. In fact, the code does not have to be a
  part of mod_security anyway. What you can do (or I can do for you,
  it doesn't matter) is write a tiny Apache module that executes
  whatever you need during the initialization phase. The result
  is the same, but this solution is more flexible.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click