modsec-shared-collections created on every nginx -t

[karljohns0n]

Hello,

Everytime I run nginx -t to test the config, files "modsec-shared-collections" and "modsec-shared-collections-lock" are created in the current directory, see below:

[root@webstaging ~]# mkdir test1 test2
[root@webstaging ~]# pushd test1 && nginx -t
~/test1 ~
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@webstaging test1]# pushd ../test2 && nginx -t
~/test2 ~/test1 ~
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@webstaging test2]# tree ../test*
../test1
├── modsec-shared-collections
└── modsec-shared-collections-lock
../test2
├── modsec-shared-collections
└── modsec-shared-collections-lock

0 directories, 4 files
[root@webstaging test2]# 

Moreover, I see [notice] 21561#21561: ModSecurity-nginx v1.0.1 (rules loaded inline/local/remote: 0/0/0) when nginx starts while modsecurity should be off by default

[root@webstaging ~]# ack modsec /etc/nginx
[root@webstaging ~]# 

Version:
nginx 1.16.1
libmodsecurity 3.0.3
modsecurity-nginx 1.0.1

Nginx configue:

[root@webstaging ~]# nginx -V
nginx version: nginx/1.16.1
custom build maintained on github.com/karljohns0n/nginx-more
built by gcc 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC) 
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/cache/client_body --http-proxy-temp-path=/var/lib/nginx/cache/proxy --http-fastcgi-temp-path=/var/lib/nginx/cache/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/cache/uwsgi --http-scgi-temp-path=/var/lib/nginx/cache/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --with-compat --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_geoip_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-threads --with-stream --with-stream_ssl_module --with-stream_realip_module --with-http_slice_module --with-stream_ssl_preread_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -DTCP_FASTOPEN=23' --with-cc=/opt/rh/devtoolset-7/root/usr/bin/gcc --with-openssl=modules/openssl-1.1.1d --with-http_v2_hpack_enc --add-module=modules/ngx_modsecurity-1.0.1 --add-module=modules/ngx_headers_more-0.33 --add-module=modules/ngx_cache_purge-2.3 --add-module=modules/ngx_module_vts-0.1.18 --add-module=modules/ngx_pagespeed-1.13.35.2-stable --add-module=modules/ngx_brotli-snap20191118 --add-module=modules/ngx_http_geoip2_module-3.3 --add-module=modules/ngx_echo-0.61

[zimmerle]

Hi @karljohns0n,

What do you mean when you mentioned off by default?

[karljohns0n]

Hi,

What do you mean when you mentioned off by default?

I mean that default modsecurity directive is off. It's still spamming the filesystem with modsec-shared-collections files when doing nginx -t even if modsecurity is off.

[zimmerle]

That happens because ModSecurity was compiled with the LMDB support and ModSecurity was loaded by nginx. It is ready to be used by any vhost (or similar) that makes use of it. To complete disable it, try not to load the .so file.

[karljohns0n]

I would have to compile it as a dynamic module to be able to unload it. Is it still normal to spam the filesystem with these 2 files? There's no way to avoid that beside using libmodsecurity without LMDB support?

[zimmerle]

If I understood correctly your use case, apparently you are not using ModSecurity at all. If that is the case, I would recommend to not compile nginx with it, or make it a dynamic module and not load it, unless it is necessary. If you use ModSecurity (even if it is a single vhost), and LMDB is enabled, the files will be generated.

[karljohns0n]

I'm not using it at the moment but I plan to, that's why it's compiled with it. If I use it, is there a way to generate them only one time, in a specific path, instead of multiple time everywhere on the filesystem?

[zimmerle]

Unfortunately no :( the files are o consequence of the LMDB utilization.

[phpstatic]

@zimmerle

Maybe add workaround to create the file in /tmp folder, or an option to set the folder.

The current status made the project like amateur.

[zimmerle]

The current status made the project like amateur.

I cannot disagree. We have to allocate the necessary time/effort to fix this issue. The /tmp folder needs to be take into consideration. The distinction in between whenever it is a configuration check (nginx -t) or a real server initialization is not clear, thus keeping the collection files on a permissive path as /tmp may lead to less control on who can see/access the content of the collections. That is the challange that we have to consider.

@defanator may be able to help with this one.