search

coreruleset / modsecurity-crs-docker

Official ModSecurity Docker + Core Rule Set (CRS) images
https://coreruleset.org
Apache License 2.0
237 stars 62 forks source link

ModSecurity: Multipart parsing error: Multipart: Failed to create file: /tmp/modsecurity/tmp/ #269

Open xBounceIT opened 4 days ago

xBounceIT commented 4 days ago

After upgrading from container v3.3.5 to v4.3.0, this error has been appearing constantly.

It seems to be due to Apache not running as root, and the only fix i have found is to change the MODSEC_TMP_DIR variable from the default (which doesn't seem to work) to a more accessible "/tmp".

fzipi commented 2 days ago

Sounds reasonable. Do you want to send a PR for this?

theseion commented 2 days ago

I think we need to fix the permissions of that directory instead, like we do for the other directories already.

theseion commented 2 days ago

Looking at the Dockerfile, the directory /tmp/modsecurity and all children should belong to httpd:httpd and there shouldn't be an issue with permissions at all.

theseion commented 2 days ago

I've checked and the permissions look ok. @xBounceIT, which tag are you using exactly?

xBounceIT commented 1 day ago

I've checked and the permissions look ok. @xBounceIT, which tag are you using exactly?

Do you mean image tag? I am currently running 4.3.0-apache-202406090906

theseion commented 15 hours ago

Yes, thanks.

theseion commented 14 hours ago

Permissions and ownership look as expected. The init process is running as httpd, which is the same user that owns that directory.

How are you running the image? Can you please provide a way for us to recreate your issue? E.g., docker compose file or shell script.

xBounceIT commented 11 hours ago

Sure, this is the docker compose and Dockerfile (since we use this image as a base and install modevasive too).

Docker compose:

version: '3'
services:
  waf:
    image: syncsec/waf:4.3.0
    container_name: waf
    hostname: waf
    restart: unless-stopped
    ports:
    - "443:8443"
    - "80:8080"
    environment:
    - TZ=Europe/Rome
    - PROXY=1
    - ERRORLOG=/var/log/apache2/error.log
    - MODSEC_AUDIT_LOG=/var/log/apache2/modsec/modsec_audit.log
    - MODSEC_DEBUG_LOG=/var/log/apache2/modsec/modsec_debug.log
    - MODSEC_DISABLE_BACKEND_COMPRESSION=On
    - MODSEC_PCRE_MATCH_LIMIT=1000000
    - ALLOWED_METHODS=GET HEAD POST OPTIONS PUT PROPFIND
    - ALLOWED_REQUEST_CONTENT_TYPE=|text/plain| |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/octet-stream|
    - SSL_OCSP_STAPLING=Off
    - SSL_PORT=8443
    - PORT=8080
    - MODSEC_TMP_DIR=/tmp
    volumes:
    # Custom vhosts
    - ./persistence/conf.d:/opt/conf.d
#    - ./persistence/conf.d/mod_security.conf:/etc/modsecurity.d/modsecurity.conf:ro
    # SSL
    - ./persistence/ssl:/usr/local/apache2/conf/ssl
    # Logs
    - ./persistence/log:/var/log/apache2

Dockerfile:

# Use the OWASP ModSecurity CRS base image with Apache
FROM owasp/modsecurity-crs:4.3.0-apache-202406090906

USER root

# Enable custom configurations
RUN sed -i 's/Include conf\/extra\/httpd-vhosts.conf/Include \/opt\/conf.d\/*.conf/' /usr/local/apache2/conf/httpd.conf

# Update package list, install necessary packages, and clean up
RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install -y apache2-utils libapache2-mod-evasive && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*
theseion commented 3 hours ago

Looks like your issue is that you change the user to root. Because of that, httpd will run as root with workers spawned as www-data. Resetting the user after installing the extra packages should do the trick:

USER httpd