search

owasp-modsecurity / ModSecurity-nginx

ModSecurity v3 Nginx Connector
Apache License 2.0
1.59k stars 282 forks source link

modsec-shared-collections created on every nginx -t #174

Closed karljohns0n closed 4 years ago

karljohns0n commented 4 years ago

Hello,

Everytime I run nginx -t to test the config, files "modsec-shared-collections" and "modsec-shared-collections-lock" are created in the current directory, see below:

[root@webstaging ~]# mkdir test1 test2
[root@webstaging ~]# pushd test1 && nginx -t
~/test1 ~
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@webstaging test1]# pushd ../test2 && nginx -t
~/test2 ~/test1 ~
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@webstaging test2]# tree ../test*
../test1
├── modsec-shared-collections
└── modsec-shared-collections-lock
../test2
├── modsec-shared-collections
└── modsec-shared-collections-lock

0 directories, 4 files
[root@webstaging test2]#

Moreover, I see [notice] 21561#21561: ModSecurity-nginx v1.0.1 (rules loaded inline/local/remote: 0/0/0) when nginx starts while modsecurity should be off by default

[root@webstaging ~]# ack modsec /etc/nginx
[root@webstaging ~]#

Version: nginx 1.16.1 libmodsecurity 3.0.3 modsecurity-nginx 1.0.1

Nginx configue:

[root@webstaging ~]# nginx -V
nginx version: nginx/1.16.1
custom build maintained on github.com/karljohns0n/nginx-more
built by gcc 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC) 
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/cache/client_body --http-proxy-temp-path=/var/lib/nginx/cache/proxy --http-fastcgi-temp-path=/var/lib/nginx/cache/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/cache/uwsgi --http-scgi-temp-path=/var/lib/nginx/cache/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --with-compat --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_geoip_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-threads --with-stream --with-stream_ssl_module --with-stream_realip_module --with-http_slice_module --with-stream_ssl_preread_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -DTCP_FASTOPEN=23' --with-cc=/opt/rh/devtoolset-7/root/usr/bin/gcc --with-openssl=modules/openssl-1.1.1d --with-http_v2_hpack_enc --add-module=modules/ngx_modsecurity-1.0.1 --add-module=modules/ngx_headers_more-0.33 --add-module=modules/ngx_cache_purge-2.3 --add-module=modules/ngx_module_vts-0.1.18 --add-module=modules/ngx_pagespeed-1.13.35.2-stable --add-module=modules/ngx_brotli-snap20191118 --add-module=modules/ngx_http_geoip2_module-3.3 --add-module=modules/ngx_echo-0.61
zimmerle commented 4 years ago

Hi @karljohns0n,

What do you mean when you mentioned off by default?

karljohns0n commented 4 years ago

Hi,

What do you mean when you mentioned off by default?

I mean that default modsecurity directive is off. It's still spamming the filesystem with modsec-shared-collections files when doing nginx -t even if modsecurity is off.

zimmerle commented 4 years ago

That happens because ModSecurity was compiled with the LMDB support and ModSecurity was loaded by nginx. It is ready to be used by any vhost (or similar) that makes use of it. To complete disable it, try not to load the .so file.

karljohns0n commented 4 years ago

I would have to compile it as a dynamic module to be able to unload it. Is it still normal to spam the filesystem with these 2 files? There's no way to avoid that beside using libmodsecurity without LMDB support?

zimmerle commented 4 years ago

If I understood correctly your use case, apparently you are not using ModSecurity at all. If that is the case, I would recommend to not compile nginx with it, or make it a dynamic module and not load it, unless it is necessary. If you use ModSecurity (even if it is a single vhost), and LMDB is enabled, the files will be generated.

karljohns0n commented 4 years ago

I'm not using it at the moment but I plan to, that's why it's compiled with it. If I use it, is there a way to generate them only one time, in a specific path, instead of multiple time everywhere on the filesystem?

zimmerle commented 4 years ago

Unfortunately no :( the files are o consequence of the LMDB utilization.

phpstatic commented 3 years ago

@zimmerle

Maybe add workaround to create the file in /tmp folder, or an option to set the folder.

The current status made the project like amateur.

zimmerle commented 3 years ago

The current status made the project like amateur.

I cannot disagree. We have to allocate the necessary time/effort to fix this issue. The /tmp folder needs to be take into consideration. The distinction in between whenever it is a configuration check (nginx -t) or a real server initialization is not clear, thus keeping the collection files on a permissive path as /tmp may lead to less control on who can see/access the content of the collections. That is the challange that we have to consider.

@defanator may be able to help with this one.