Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move log opening to appropriate execution phase #2823

Open
wants to merge 1 commit into
base: v2/master
Choose a base branch
from
Open

Move log opening to appropriate execution phase #2823

wants to merge 1 commit into from

Conversation

TomasKorbar
Copy link

When piped logs are opened during parsing of configuration it results in unexpected situations in apache httpd and can cause hang of process which is trying to log into auditlog.

Closes #2822

@martinhsv martinhsv added the 2.x Related to ModSecurity version 2.x label Nov 14, 2022
@martinhsv
Copy link
Contributor

Hello @TomasKorbar ,

There is at least one downside here.

Current functionality means that the attempt to open the audit log file occurs at startup. If it fails -- perhaps because the chosen location is unwriteable -- then Apache will fail to start and the user can see a message like:

ModSecurity: Failed to open the audit log file: /var/log/apache/modsec_audit.log

(As a side note, with these changes I could not see a failure message anywhere, including in Apache's error.log. Perhaps I didn't look carefully enough.)

In general, it's preferable to have configuration errors identified at startup whenever possible.

@TomasKorbar
Copy link
Author

Hi @martinhsv
Log about not accessible file is now present and failure to open log prevents apache from starting.
Let me know if there are any more changes needed.

@TomasKorbar
Copy link
Author

@martinhsv Hi, could we get this merged please? I can provide further help if needed.

@martinhsv martinhsv added this to QA in v2.9.8 Jul 28, 2023
martinhsv
martinhsv reviewed Jul 31, 2023
View reviewed changes
apache2/msc_logging.c Outdated Show resolved Hide resolved
@TomasKorbar
Move log opening to appropriate execution phase
5698426 
When piped logs are opened during parsing of configuration
it results in unexpected situations in apache httpd
and can cause hang of process which is trying to log
into auditlog.
@TomasKorbar
Copy link
Author

@martinhsv should be good now.

@eflanagan0
Copy link

@marcstern I've verified this builds correctly on a NixOS system after cherry-picking the commit to v2.7.3. I can also start an Apache/2.4.59 server loading the compiled module.

marcstern
marcstern requested changes Apr 23, 2024
View reviewed changes
Copy link
Contributor

@marcstern marcstern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds sensible, but I wonder why it was handled differently than error logs at first. Does anybody see a potential problem with this fix?

Otherwise, I think it's the right moment to de-duplicate the code between dcfg->auditlog_name & dcfg->auditlog_name2 file opening. Can you use a static function that centralizes the common code?

Additional question (linked to code duplication):
Why do we have pipe_name = dcfg->auditlog_name + 1; and pipe_name = ap_server_root_relative(p, dcfg->auditlog2_name + 1);? Is this normal?

@eflanagan0
Copy link

I realized this PR also will need rebased atop v2/master to incorporate the CI changes and kick off those checks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinhsv martinhsv martinhsv left review comments

@marcstern marcstern marcstern requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
2.x Related to ModSecurity version 2.x Platform - Apache
Projects
v2.9.8
QA
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@TomasKorbar @martinhsv @eflanagan0 @marcstern