[mod-security-users] Trouble with inspectFile

[hanj <ma...@as...>]

On Sat, 24 Feb 2007 10:41:18 +0530
<Aru...@co...> wrote:
> Hi Ariel
> 
> We can use shell script to inspect the files....can u tell me in secdefaultaction what phase u have applied...generaly inspect upload files will run only in phase 2
> 
> In our environment i use the below rule to inspect the file
> SecTmpDir /tmp
> SecRule FILES_TMPNAMES "@inspectFile /bin/uploadparse.sh" "phase:2,log,deny,t:none"
> SecUploadKeepFiles On
> 
> One more problem i am facing in the above rule is if i turn Off the SecUploadKeepFiles  then inspect files is not running...regarding this issue i send out a mail to this group but i have not got any reply.
> 
> Regards,
> Arun




Hello

I just recently updated to 2.1.1 from 1.9.4 and no matter what I can't
get my approver script to be executed by mod_sec. I tried with both
SecUploadKeepFiles On and Off, nothing happens with both.I added
ctl:debugLogLevel=9 and nothing shows up in my modsec_debug.log. All
other rule handling seem to work as expected, but sending 'good' and
'bad' files.. they all are being uploaded to the server. It almost
appears that mod_sec is not executing the file at all.

I'm also using mod_chroot and the environment is chroot'd. My approver
script and associated binaries are in the jail.

SecRule FILES_TMPNAMES "@inspectFile /approver/file.sh" \
	t:none,ctl:debugLogLevel=9"

I also tried 
SecRule FILES_TMPNAMES "@inspectFile /approver/file.sh"
"phase:2,log,deny,t:none"

Nothing happens with either change and the file is successfully
uploaded.

Here are my relevant packages:
apache-2.0.58-r2
mod_security-2.1.1
mod_chroot-0.4

I also noticed if I move file.sh to file.sh.dump, it doesn't even
complain that it's not there. 

I rolled back to mod_security-1.9.4 to verify that approver script
is readable/executable in the chroot, and it worked flawlessly.

It has to be something simple. Thanks for your help!!!!