Error Failed To Change_hat To Handling_untrusted_input
Contents |
4 Jul 2008 14:27:16 +0200 (CEST) Message-id:
Apache Failed To Change_hat To Handling_untrusted_input
-0700, Martin Mielke wrote: Hi list, for some reason I still apache2 failed to change_hat to handling_untrusted_input haven't found, my apache2::error_log file is being populated with: --- [Fri Jul 04 12:49:03 2008] [error] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' --- Browsing through the internet I found some posts from 20007 and 2006 pointing to AppArmor: http://forge.novell.com/pipermail/apparmor-general/2007-January/000228.html http://lists.suse.com/archive/suse-sles-e/2006-Jul/0175.html so I deactivated that (a2dismod apparmor) Apache2 module and now the error message is gone. First (obvious) questions: * is Apache2 now less secure? * is there any way to solve this issue? For the sake of completion I have to say that I don't use AppArmor at all :-) -- which causes some debate, too: AppArmor yes, AppArmor no? If you have a server, AA is a good thing to have. But it can also be a nuisance till adjusted. It ensures that if the daemon is compromised the attacker will not have access to files that were not allowed by design. In this case of apache I don't know if the procedure is correct, but typically you fire the yast/apparmour/update profile wizard and do the proper adjustments,, ie, giving access to the files or directories that are needed. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIbhcztTMYHG2NR9URAguPAJwKkoBNBf6Sw0+0Vs7xQ45Pe58UHACgk1tF Kl1zsZXl7CP2ypj9FgkLlBo= =Qy5+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx < Previous Next > Thread Index Author Index Date Index All Messages Search this list List Navigation Overview Next Thread Previous Thread Top of the Page Feedback This Thread Martin Mielke Carlos E. R. References Martin Mielke
Get Kubuntu Get Xubuntu Get Lubuntu Get UbuntuStudio Get Mythbuntu Get Edubuntu Get Ubuntu-GNOME Get UbuntuKylin Ubuntu Code of Conduct Ubuntu Wiki Community Wiki Other Support Launchpad Answers Ubuntu IRC Support AskUbuntu Official Documentation User Documentation Social Media Facebook Twitter Useful Links Distrowatch Bugs: Ubuntu PPAs: Ubuntu Web Upd8: Ubuntu OMG! Ubuntu Ubuntu Insights Planet Ubuntu Activity Page Please read before SSO login Advanced Search Forum The Ubuntu Forum Community Ubuntu Specialised Support Security [all variants] AppArmor Support Thread Having an https://lists.opensuse.org/opensuse/2008-07/msg00455.html Issue With Posting ? Do you want to help us debug the posting issues ? < is the place to report it, thanks ! Page 1 of 19 12311 ... Last Jump to page: Results 1 to 10 of 185 Thread: AppArmor Support Thread Thread Tools Show Printable Version Subscribe to this Thread… Display Linear Mode Switch to Hybrid Mode https://ubuntuforums.org/showthread.php?t=1049698&page=8 Switch to Threaded Mode January 25th, 2009 #1 jgoguen View Profile View Forum Posts Private Message Visit Homepage Way Too Much Ubuntu Join Date Feb 2005 Location ${HOME} BeansHidden! AppArmor Support Thread To avoid cluttering up the Share your AppArmor Profiles thread, please post questions about AppArmor (why something is asking for certain permissions or capabilities, what is the difference between Px and ix and why do I never ever ever use Ux, how do I figure out where the real executable is...) in this thread. Joel Goguen Adv Reply January 25th, 2009 #2 q.dinar View Profile View Forum Posts Private Message Visit Homepage Frothy Coffee! Join Date Jul 2008 Beans 230 Re: AppArmor Support Thread http://ubuntuforums.org/showpost.php...6&postcount=40 : hello. xchat asks for /home/*/.recently-used.xbel . what is that, why xchat wants it, i looked into it, i have thought it is written with what file opened with what program. also i see wine asks something though [i thought] it is off, i looked in system monitor and see "winbind"s by root. wine asks for: ... operation="capab
Site Leaders Articles Blogs What's New? FAQ Advanced Search Forum PRODUCT RELATED DISCUSSIONS FILE & NETWORKING SERVICES Open Enterprise Server OES: Linux https://forums.novell.com/showthread.php/441767-Apache-Fails-to-keep-running OES-L: Linux Web Services Apache Fails to keep running You can view http://wiki.apparmor.net/index.php/Mod_apparmor_example the discussions, but you must login before you can post. Click the LOGIN link in the forum header to proceed. To start viewing messages, select the forum that you want to visit from the selection below. If this is your first visit, be sure to check out failed to the FAQ by clicking the link above. Results 1 to 5 of 5 Thread: Apache Fails to keep running Thread Tools Show Printable Version Subscribe to this Thread… Display Switch to Linear Mode Switch to Hybrid Mode Threaded Mode Threaded View 12-Jul-2011,04:51 PM #1 Bob Crandell NNTP User Apache Fails to keep running Hi, This server: # cat /etc/novell-release Novell failed to change_hat Open Enterprise Server Linux (i586) VERSION = 9 PATCHLEVEL = 12/16/2005 OES SP2 # cat /etc/SuSE-release SUSE LINUX Enterprise Server 9 (i586) VERSION = 9 PATCHLEVEL = 4 The startup sequence: [Tue Jul 12 08:18:33 2011] [info] Init: Initializing OpenSSL library [Tue Jul 12 08:18:33 2011] [info] Init: Seeding PRNG with 136 bytes of entropy [Tue Jul 12 08:18:33 2011] [info] Loading certificate & private key of SSL-aware server [Tue Jul 12 08:18:33 2011] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required [Tue Jul 12 08:18:33 2011] [info] Loading certificate & private key of SSL-aware server [Tue Jul 12 08:18:33 2011] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required [Tue Jul 12 08:18:33 2011] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Tue Jul 12 08:18:33 2011] [info] Init: Generating temporary DH parameters (512/1024 bits) [Tue Jul 12 08:18:33 2011] [info] Init: Initializing (virtual) servers for SSL [Tue Jul 12 08:18:33 2011] [info] Configuring server for SSL protocol [Tue Jul 12 08:18:33 2011] [debug] ssl_engine_init.c(405): Creating new SSL cont
Introduction AppArmor provides great flexibility in confining web applications in Apache through mod_apparmor. In this example, the main Apache process will be considered trusted, and mod_apparmor will be used by Apache to change_hat() into different profiles based on the web application. This example is known to work on Ubuntu 10.04 LTS with AppArmor 2.5. This example is based on the work of Marc Deslauriers when providing an example profile for phpsysinfo in Ubuntu. Overview The idea behind mod_apparmor is simple: if Apache is configured to use mod_apparmor, when someone navigates to a URL in Apache, Apache will transition to an AppArmor profile via mod_apparmor using AppArmor's change_hat() mechanism. For simplicity, the main Apache process in the example will be considered trusted and it therefore will be confined with a lenient profile (/etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 in this example, but it can be named anything). Profiles for the web applications are located in /etc/apparmor.d/apache2.d. We will confine MoinMoin and nagios in this example. Initial Configuration Apache must be configured to use mod_apparmor. In Ubuntu, this is done by: $ sudo apt-get install libapache2-mod-apparmor $ sudo a2enmod apparmor $ sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 $ sudo /etc/init.d/apache2 restart This installs mod_apparmor on the system, enables the mod_apparmor module in Apache, loads the policy for the Apache process, the restarts Apache so it is confined. Non-Ubuntu systems may have a different name for the libapache2-mod-apparmor package. Systems without 'a2enmod' can add the following to the appropriate place in apache.conf/httpd.conf: LoadModule apparmor_module /usr/lib/apache2/modules/mod_apparmor.so The policy in /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 as used on Ubuntu 10