Public bug reported: By default, SecTmpDir is set to "/tmp", but it is recommended to change this to reference a location without general read permissions. It is not documented anywhere that I can find (but appears from experimentation to be the case) that one cannot use a subdirectory of /tmp (or of /var/tmp) as SecTmpDir. Attempting to do so results in errors such as the following when uploading files larger than the in-memory limit:
``` [Thu Aug 01 12:11:20.206816 2019] [:error] [pid 20747] [client XXX:34636] [client XXX] ModSecurity: Failed to open temporary file for reading: /var/tmp/modsecurity/20190801-121119-XULW4nH8B6zTbIg@QC9oyQAAAAQ-request_body-hki209 [hostname "XXX"] [uri "/wp-admin/async-upload.php"] [unique_id "XULW4nH8B6zTbIg@QC9oyQAAAAQ"], referer: https://XXX/wp-admin/upload.php [Thu Aug 01 12:11:20.472808 2019] [:error] [pid 20747] [client XXX:34636] [client XXX] ModSecurity: Input filter: Error reading from temporary file: Bad file descriptor [hostname "XXX"] [uri "/wp-admin/async-upload.php"] [unique_id "XULW4nH8B6zTbIg@QC9oyQAAAAQ"], referer: https://XXX/wp-admin/upload.php [Thu Aug 01 12:11:20.474908 2019] [:error] [pid 20747] [client XXX:34636] [client XXX] ModSecurity: Input filter: Error reading from temporary file: Bad file descriptor [hostname "XXX"] [uri "/wp-admin/async-upload.php"] [unique_id "XULW4nH8B6zTbIg@QC9oyQAAAAQ"], referer: https://XXX/wp-admin/upload.php [Thu Aug 01 12:11:20.475367 2019] [:error] [pid 20747] [client XXX:34636] [client XXX] ModSecurity: Input filter: Failed to delete temporary file: /var/tmp/modsecurity/20190801-121119-XULW4nH8B6zTbIg@QC9oyQAAAAQ-request_body-hki209 [hostname "XXX"] [uri "/wp-admin/async-upload.php"] [unique_id "XULW4nH8B6zTbIg@QC9oyQAAAAQ"], referer: https://XXX/wp-admin/upload.php ``` It appears that the temporary file has silently failed to be written to /var/tmp/modsecurity, causing secondary errors on attempted read and delete. The same secondary errors are thrown if any SecTmpDir is unwritable by www-data, indicating that there is a generally-silent primary error on write. It is not clear why subdirectories of /tmp and /var/tmp should be unusable as SecTmpDir, since /tmp and /var/tmp, while not recommended, are themselves usable, and the same security concerns would apply. Expected behaviour ------------------ At the very least, one or more of the following should apply: 1) the error when attempting to write to an invalid SecTmpDir should be noisy 2) modsecurity should test for an invalid SecTmpDir on startup and throw a meaningful warning 3) for consistency, it should be either allowed to use subdirectories of /tmp and /var/tmp, or forbidden entirely from using /tmp or /var/tmp, as SecTmpDir. System info ----------- ii libapache2-mod-security2 2.9.2-1 amd64 Tighten web applications security for Apache Description: Ubuntu 18.04.1 LTS Release: 18.04 ** Affects: modsecurity-apache (Ubuntu) Importance: Undecided Status: New ** Description changed: By default, SecTmpDir is set to "/tmp", but it is recommended to change this to reference a location without general read permissions. It is not documented anywhere that I can find (but appears from experimentation to be the case) that one cannot use a subdirectory of /tmp (or of /var/tmp) as SecTmpDir. Attempting to do so results in errors such as the following when uploading files larger than the in-memory limit: ``` - 2019] [:error] [pid 20747] [client XXX:34636] [client XXX] ModSecurity: Failed to open temporary file for reading: /var/tmp/modsecurity/20190801-121119-XULW4nH8B6zTbIg@QC9oyQAAAAQ-request_body-hki209 [hostname "XXX"] [uri "/wp-admin/async-upload.php"] [unique_id "XULW4nH8B6zTbIg@QC9oyQAAAAQ"], referer: https://XXX/wp-admin/upload.php + [Thu Aug 01 12:11:20.206816 2019] [:error] [pid 20747] [client XXX:34636] [client XXX] ModSecurity: Failed to open temporary file for reading: /var/tmp/modsecurity/20190801-121119-XULW4nH8B6zTbIg@QC9oyQAAAAQ-request_body-hki209 [hostname "XXX"] [uri "/wp-admin/async-upload.php"] [unique_id "XULW4nH8B6zTbIg@QC9oyQAAAAQ"], referer: https://XXX/wp-admin/upload.php [Thu Aug 01 12:11:20.472808 2019] [:error] [pid 20747] [client XXX:34636] [client XXX] ModSecurity: Input filter: Error reading from temporary file: Bad file descriptor [hostname "XXX"] [uri "/wp-admin/async-upload.php"] [unique_id "XULW4nH8B6zTbIg@QC9oyQAAAAQ"], referer: https://XXX/wp-admin/upload.php [Thu Aug 01 12:11:20.474908 2019] [:error] [pid 20747] [client XXX:34636] [client XXX] ModSecurity: Input filter: Error reading from temporary file: Bad file descriptor [hostname "XXX"] [uri "/wp-admin/async-upload.php"] [unique_id "XULW4nH8B6zTbIg@QC9oyQAAAAQ"], referer: https://XXX/wp-admin/upload.php [Thu Aug 01 12:11:20.475367 2019] [:error] [pid 20747] [client XXX:34636] [client XXX] ModSecurity: Input filter: Failed to delete temporary file: /var/tmp/modsecurity/20190801-121119-XULW4nH8B6zTbIg@QC9oyQAAAAQ-request_body-hki209 [hostname "XXX"] [uri "/wp-admin/async-upload.php"] [unique_id "XULW4nH8B6zTbIg@QC9oyQAAAAQ"], referer: https://XXX/wp-admin/upload.php ``` It appears that the temporary file has silently failed to be written to /var/tmp/modsecurity, causing secondary errors on attempted read and delete. The same secondary errors are thrown if any SecTmpDir is unwritable by www-data, indicating that there is a generally-silent primary error on write. It is not clear why subdirectories of /tmp and /var/tmp should be unusable as SecTmpDir, since /tmp and /var/tmp, while not recommended, are themselves usable, and the same security concerns would apply. Expected behaviour ------------------ At the very least, one or more of the following should apply: 1) the error when attempting to write to an invalid SecTmpDir should be noisy 2) modsecurity should test for an invalid SecTmpDir on startup and throw a meaningful warning 3) for consistency, it should be either allowed to use subdirectories of /tmp and /var/tmp, or forbidden entirely from using /tmp or /var/tmp, as SecTmpDir. System info ----------- ii libapache2-mod-security2 2.9.2-1 amd64 Tighten web applications security for Apache Description: Ubuntu 18.04.1 LTS Release: 18.04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838636 Title: SecTmpDir operation has undocumented restrictions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/modsecurity-apache/+bug/1838636/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs