Open xBounceIT opened 4 days ago
Sounds reasonable. Do you want to send a PR for this?
I think we need to fix the permissions of that directory instead, like we do for the other directories already.
Looking at the Dockerfile, the directory /tmp/modsecurity
and all children should belong to httpd:httpd
and there shouldn't be an issue with permissions at all.
I've checked and the permissions look ok. @xBounceIT, which tag are you using exactly?
I've checked and the permissions look ok. @xBounceIT, which tag are you using exactly?
Do you mean image tag? I am currently running 4.3.0-apache-202406090906
Yes, thanks.
Permissions and ownership look as expected. The init process is running as httpd
, which is the same user that owns that directory.
How are you running the image? Can you please provide a way for us to recreate your issue? E.g., docker compose file or shell script.
Sure, this is the docker compose and Dockerfile (since we use this image as a base and install modevasive too).
Docker compose:
version: '3'
services:
waf:
image: syncsec/waf:4.3.0
container_name: waf
hostname: waf
restart: unless-stopped
ports:
- "443:8443"
- "80:8080"
environment:
- TZ=Europe/Rome
- PROXY=1
- ERRORLOG=/var/log/apache2/error.log
- MODSEC_AUDIT_LOG=/var/log/apache2/modsec/modsec_audit.log
- MODSEC_DEBUG_LOG=/var/log/apache2/modsec/modsec_debug.log
- MODSEC_DISABLE_BACKEND_COMPRESSION=On
- MODSEC_PCRE_MATCH_LIMIT=1000000
- ALLOWED_METHODS=GET HEAD POST OPTIONS PUT PROPFIND
- ALLOWED_REQUEST_CONTENT_TYPE=|text/plain| |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/octet-stream|
- SSL_OCSP_STAPLING=Off
- SSL_PORT=8443
- PORT=8080
- MODSEC_TMP_DIR=/tmp
volumes:
# Custom vhosts
- ./persistence/conf.d:/opt/conf.d
# - ./persistence/conf.d/mod_security.conf:/etc/modsecurity.d/modsecurity.conf:ro
# SSL
- ./persistence/ssl:/usr/local/apache2/conf/ssl
# Logs
- ./persistence/log:/var/log/apache2
Dockerfile:
# Use the OWASP ModSecurity CRS base image with Apache
FROM owasp/modsecurity-crs:4.3.0-apache-202406090906
USER root
# Enable custom configurations
RUN sed -i 's/Include conf\/extra\/httpd-vhosts.conf/Include \/opt\/conf.d\/*.conf/' /usr/local/apache2/conf/httpd.conf
# Update package list, install necessary packages, and clean up
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install -y apache2-utils libapache2-mod-evasive && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
Looks like your issue is that you change the user to root. Because of that, httpd
will run as root
with workers spawned as www-data
.
Resetting the user after installing the extra packages should do the trick:
USER httpd
After upgrading from container v3.3.5 to v4.3.0, this error has been appearing constantly.
It seems to be due to Apache not running as root, and the only fix i have found is to change the MODSEC_TMP_DIR variable from the default (which doesn't seem to work) to a more accessible "/tmp".