modsecurity-crs-docker icon indicating copy to clipboard operation
modsecurity-crs-docker copied to clipboard
verified publisher icon coreruleset

ModSecurity: Multipart parsing error: Multipart: Failed to create file: /tmp/modsecurity/tmp/

Open xBounceIT opened this issue 1 year ago • 9 comments

After upgrading from container v3.3.5 to v4.3.0, this error has been appearing constantly.

It seems to be due to Apache not running as root, and the only fix i have found is to change the MODSEC_TMP_DIR variable from the default (which doesn't seem to work) to a more accessible "/tmp".

xBounceIT avatar Jul 05 '24 09:07 xBounceIT

Sounds reasonable. Do you want to send a PR for this?

fzipi avatar Jul 07 '24 04:07 fzipi

I think we need to fix the permissions of that directory instead, like we do for the other directories already.

theseion avatar Jul 07 '24 06:07 theseion

Looking at the Dockerfile, the directory /tmp/modsecurity and all children should belong to httpd:httpd and there shouldn't be an issue with permissions at all.

theseion avatar Jul 07 '24 06:07 theseion

I've checked and the permissions look ok. @xBounceIT, which tag are you using exactly?

theseion avatar Jul 07 '24 06:07 theseion

I've checked and the permissions look ok. @xBounceIT, which tag are you using exactly?

Do you mean image tag? I am currently running 4.3.0-apache-202406090906

xBounceIT avatar Jul 08 '24 08:07 xBounceIT

Yes, thanks.

theseion avatar Jul 09 '24 04:07 theseion

Permissions and ownership look as expected. The init process is running as httpd, which is the same user that owns that directory.

How are you running the image? Can you please provide a way for us to recreate your issue? E.g., docker compose file or shell script.

theseion avatar Jul 09 '24 04:07 theseion

Sure, this is the docker compose and Dockerfile (since we use this image as a base and install modevasive too).

Docker compose:

version: '3'
services:
  waf:
    image: syncsec/waf:4.3.0
    container_name: waf
    hostname: waf
    restart: unless-stopped
    ports:
    - "443:8443"
    - "80:8080"
    environment:
    - TZ=Europe/Rome
    - PROXY=1
    - ERRORLOG=/var/log/apache2/error.log
    - MODSEC_AUDIT_LOG=/var/log/apache2/modsec/modsec_audit.log
    - MODSEC_DEBUG_LOG=/var/log/apache2/modsec/modsec_debug.log
    - MODSEC_DISABLE_BACKEND_COMPRESSION=On
    - MODSEC_PCRE_MATCH_LIMIT=1000000
    - ALLOWED_METHODS=GET HEAD POST OPTIONS PUT PROPFIND
    - ALLOWED_REQUEST_CONTENT_TYPE=|text/plain| |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/octet-stream|
    - SSL_OCSP_STAPLING=Off
    - SSL_PORT=8443
    - PORT=8080
    - MODSEC_TMP_DIR=/tmp
    volumes:
    # Custom vhosts
    - ./persistence/conf.d:/opt/conf.d
#    - ./persistence/conf.d/mod_security.conf:/etc/modsecurity.d/modsecurity.conf:ro
    # SSL
    - ./persistence/ssl:/usr/local/apache2/conf/ssl
    # Logs
    - ./persistence/log:/var/log/apache2

Dockerfile:

# Use the OWASP ModSecurity CRS base image with Apache
FROM owasp/modsecurity-crs:4.3.0-apache-202406090906

USER root

# Enable custom configurations
RUN sed -i 's/Include conf\/extra\/httpd-vhosts.conf/Include \/opt\/conf.d\/*.conf/' /usr/local/apache2/conf/httpd.conf

# Update package list, install necessary packages, and clean up
RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install -y apache2-utils libapache2-mod-evasive && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

xBounceIT avatar Jul 09 '24 08:07 xBounceIT

Looks like your issue is that you change the user to root. Because of that, httpd will run as root with workers spawned as www-data. Resetting the user after installing the extra packages should do the trick:

USER httpd

theseion avatar Jul 09 '24 16:07 theseion

Addressing this for openresty in #300

isavcic avatar Nov 04 '24 17:11 isavcic

Apache runs as httpd:httpd but the owner of /tmp/modsecurity dir is www-data:root

rhsmart avatar Feb 06 '25 14:02 rhsmart