[Owasp-modsecurity-core-rule-set] Input filter: failed to create temporary file

Matthew Saltzman mjs at clemson.edu
Mon Jan 11 22:04:28 EST 2010


On Mon, 2010-01-11 at 12:46 -0800, Brian Rectanus wrote: 
> Matthew Saltzman wrote:
> > On Mon, 2010-01-11 at 12:57 -0500, Ryan Barnett wrote: 
> >> On Monday 11 January 2010 12:50:00 pm Matthew Saltzman wrote:
> >>> On Mon, 2010-01-11 at 11:57 -0500, Ryan Barnett wrote:
> >>>> On Friday 08 January 2010 08:26:35 pm Matthew Saltzman wrote:
> >>>>> Hello, I hope I'm in the right place--I'm a complete newbie at this and
> >>>>> it's not my day job.
> >>>>>
> >>>>> Could someone please explain to me what's going on with the following:
> >>>>>
> >>>>>         [Fri Jan 08 13:07:45 2010] [error] [client 129.138.19.192]
> >>>>>  ModSecurity: Input fi lter: Failed to create temporary file:
> >>>>>  /tmp/httpd/20100108-130745-EHX6ekKtxHEAAC
> >>>>> F9asQAAAAB-request_body-RFm2a5 [hostname "projects.coin-or.org"] [uri
> >>>>> "/Csdp/att
> >>>>>  achment/wiki/WikiStart/"] [unique_id "EHX6ekKtxHEAACF9asQAAAAB"] [Fri
> >>>>> Jan 08 13:07:45 2010] [error] [client 129.138.19.192] ModSecurity:
> >>>>> Input fi lter: Failed to delete temporary file:
> >>>>>  /tmp/httpd/20100108-130745-EHX6ekKtxHEAAC
> >>>>> F9asQAAAAB-request_body-RFm2a5 [hostname "projects.coin-or.org"] [uri
> >>>>> "/Csdp/att
> >>>>>  achment/wiki/WikiStart/"] [unique_id "EHX6ekKtxHEAACF9asQAAAAB"]
> >>>>>
> >>>>> I have a pristine installation of mod_security-2.5.9-1.el5 from the
> >>>>> EPEL repository on a Red Hat Enterprise 5 system.  The problem is from
> >>>>> a trac-0.11.5-1.el5.rf project page.
> >>>>>
> >>>>> If you need more info to help, I'm glad to provide whatever I can, or
> >>>>> if I should be asking elsewhere, please let me know.  TIA for your kind
> >>>>> assistance.
> >>>> Matt,
> >>>> Looking at the error message and the temporary path/filename ModSecurity
> >>>> is attempting to create, this looks like it is related to either the
> >>>> SecTmpDir or SecUploadDir directives -
> >>>>
> >>>> http://www.modsecurity.org/documentation/modsecurity-apache/2.5.11/modsec
> >>>> urity2-apache- reference.html#N10C18
> >>>>
> >>>> Check your mod configs and see where you have specified /tmp/httpd in
> >>>> those directives.  You will need to follow the ownership/perms
> >>>> requirements for these directives related to the Apache user.
> >>> Both of these directives in modsecurity_crs_10_config.conf are set
> >>> to /tmp.
> >>>
> >>> $ ls -ld /tmp
> >>> drwxrwxrwt 7 root root 4096 Jan 11 12:45 /tmp
> >>>
> >>> Actually,
> >>>
> >>> $ ls -ldZ /tmp
> >>> drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp
> >>>
> >>> Could this be an SELinux issue?
> >>>
> >> Good question.  Anyone else running SELinux run into similar perm issues?
> >>
> >> I will also check with Brian Rectanus (Lead Mod Developer).
> > 
> > Answering my own question, no changing to permissive mode doesn't affect
> > the error.
> 
> I don't think temp files will create the directory structure (working
> from memory here).  Verify that it does not happen after creating
> /tmp/httpd with mode 1777.  I would not create it there, though.  Better
> in something like /var/httpd/modsec/tmp and used only for modsec.

Interesting:

      * Making /tmp/httpd, mode 1777, owner apache:apache solves the
        problem.

This seems like a bug--you can't count on the directory to exist
(particularly if it lives in /tmp), so you have to check and either not
use it or create it.

      * Changing /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
        to point to a different directory for SecUploadDir, SecDataDir,
        and SecTmpDir and either reloading or restarting httpd doesn't
        change where the file is created--it's still in /tmp. 
      * Moving the directives to modsecurity_localrules.conf has the
        same lack of effect on the location where the file is written.

So either I'm doing something wrong here, or my directives are being
ignored for some reason.  More hints welcome.

Thanks for your help so far.

> 
> -B
> 

-- 
                Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs


More information about the Owasp-modsecurity-core-rule-set mailing list