ModSecurity: Multipart parsing error: Multipart: Failed to create file: /tmp/modsecurity/tmp/

[xBounceIT]

After upgrading from container v3.3.5 to v4.3.0, this error has been appearing constantly.

It seems to be due to Apache not running as root, and the only fix i have found is to change the MODSEC_TMP_DIR variable from the default (which doesn't seem to work) to a more accessible "/tmp".

[fzipi]

Sounds reasonable. Do you want to send a PR for this?

[theseion]

I think we need to fix the permissions of that directory instead, like we do for the other directories already.

[theseion]

Looking at the Dockerfile, the directory /tmp/modsecurity and all children should belong to httpd:httpd and there shouldn't be an issue with permissions at all.

[theseion]

I've checked and the permissions look ok. @xBounceIT, which tag are you using exactly?

[xBounceIT]

I've checked and the permissions look ok. @xBounceIT, which tag are you using exactly?

Do you mean image tag? I am currently running 4.3.0-apache-202406090906

[theseion]

Yes, thanks.

[theseion]

Permissions and ownership look as expected. The init process is running as httpd, which is the same user that owns that directory.

How are you running the image? Can you please provide a way for us to recreate your issue? E.g., docker compose file or shell script.

[xBounceIT]

Sure, this is the docker compose and Dockerfile (since we use this image as a base and install modevasive too).

Docker compose:

version: '3'
services:
  waf:
    image: syncsec/waf:4.3.0
    container_name: waf
    hostname: waf
    restart: unless-stopped
    ports:
    - "443:8443"
    - "80:8080"
    environment:
    - TZ=Europe/Rome
    - PROXY=1
    - ERRORLOG=/var/log/apache2/error.log
    - MODSEC_AUDIT_LOG=/var/log/apache2/modsec/modsec_audit.log
    - MODSEC_DEBUG_LOG=/var/log/apache2/modsec/modsec_debug.log
    - MODSEC_DISABLE_BACKEND_COMPRESSION=On
    - MODSEC_PCRE_MATCH_LIMIT=1000000
    - ALLOWED_METHODS=GET HEAD POST OPTIONS PUT PROPFIND
    - ALLOWED_REQUEST_CONTENT_TYPE=|text/plain| |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/octet-stream|
    - SSL_OCSP_STAPLING=Off
    - SSL_PORT=8443
    - PORT=8080
    - MODSEC_TMP_DIR=/tmp
    volumes:
    # Custom vhosts
    - ./persistence/conf.d:/opt/conf.d
#    - ./persistence/conf.d/mod_security.conf:/etc/modsecurity.d/modsecurity.conf:ro
    # SSL
    - ./persistence/ssl:/usr/local/apache2/conf/ssl
    # Logs
    - ./persistence/log:/var/log/apache2

Dockerfile:

# Use the OWASP ModSecurity CRS base image with Apache
FROM owasp/modsecurity-crs:4.3.0-apache-202406090906

USER root

# Enable custom configurations
RUN sed -i 's/Include conf\/extra\/httpd-vhosts.conf/Include \/opt\/conf.d\/*.conf/' /usr/local/apache2/conf/httpd.conf

# Update package list, install necessary packages, and clean up
RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install -y apache2-utils libapache2-mod-evasive && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

[theseion]

Looks like your issue is that you change the user to root. Because of that, httpd will run as root with workers spawned as www-data.
Resetting the user after installing the extra packages should do the trick:

USER httpd