Hello,

I search the list via the source-forge search function to research similar problems but did not find an answer.

I've just installed mod_security 2.5.7 and clamav on a gentoo linux server running apache 2.2 with a view to scanning files uploaded via php script.

here's my very basic mod_security config:
 egrep -v "^$|^#"  /etc/apache2/modules.d/mod_security/10_config.conf
SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524288
SecDefaultAction "phase:2,log,pass,status:500"
SecUploadDir /var/www/localhost/uploads_mod_security
SecUploadKeepFiles On
 SecRule FILES_TMPNAMES "@inspectFile /var/www/localhost/perl/modsec-clamscan.pl" \
       "t:none"
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^[45]"
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
SecAuditLogParts "ABIFHZ"

SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDebugLog             /var/log/apache2/modsec_debug.log
SecDebugLogLevel        5
SecDataDir /var/www/localhost/mod_security/SecDataDir
SecTmpDir /var/www/localhost/mod_security/SecTmpDir
SecRule RESPONSE_STATUS "!^(?:30[12]|[45]\d\d)$" "phase:3,pass,nolog,initcol:resource=%{REQUEST_FILENAME}"

To go along with that I created
 /var/www/localhost/mod_security/SecDataDir
 /var/www/localhost/mod_security/SecTmpDir
 /var/www/localhost/uploads_mod_security
all with permissions 0770 during development on a dev only server

I can see that the files are being uploaded and processed as they end up in
 /var/www/localhost/uploads_mod_security

but they don't end up where they normally would end up in the normal directory upload directory for php scripts, that is, $_FILES['upload']['tmp_name'] and the move from there fails since the file doesn't arrive there after the scan.
For instance php is looking for a file named /var/www/localhost/uploads_as/phpIc1CXj after one such upload so $_FILES['upload'] is pointing at /var/www/localhost/uploads_as as defined in the php.ini file.

The server is configured with apache being a member of a group that has read-write permissions to all those folders.

Here's the last line from the log where it copies over the file
[22/Dec/2008:13:23:42 --0800] [mywebsite/sid#12859288][rid#12c9c510][/utst.php][4] Input filter: Moved file from "/var/www/localhost/mod_security/SecTmpDir/20081222-132342-SVAFXoTvDDcAAGTZBW4AAAAA-file-jZ3Wva" to "/var/www/localhost/uploads_mod_security/20081222-132342-SVAFXoTvDDcAAGTZBW4AAAAA-file-jZ3Wva".

and here's that file moved there
-rw------- 1 apache apache 272 Dec 22 13:23 20081222-132342-SVAFXoTvDDcAAGTZBW4AAAAA-file-jZ3Wva

In case it was causing problems I tried setting SecUploadFileMode 0660 but apache did not like that:
/etc/init.d/apache2 restart
 * Stopping apache2 ...
Syntax error on line 152 of /etc/apache2/modules.d/mod_security/10_config.conf:
Invalid command 'SecUploadFileMode', perhaps misspelled or defined by a module not included in the server configuration                                   [ ok ]
 * Apache2 has detected a syntax error in your configuration files:
Syntax error on line 152 of /etc/apache2/modules.d/mod_security/10_config.conf:
Invalid command 'SecUploadFileMode', perhaps misspelled or defined by a module not included in the server configuration
that's a little odd since that flag is mentioned in the docs.

I know it's getting close to holiday time but if you could give me a little guidance I'd much appreciate it.

Thanks,
Jonny