In my mod-security config, I am setting the file mode as follows:

 

SecUploadFileMode 0640

 

This worked fine for me in ModSecurity 2.6.8, giving the expected permission set:

-rw-r----- 1 web_apache_sa clamav 3164 Dec 14 13:47 20121214-134722-UMst6oveeK0AAB22NP0AAADI-file-OhLOox

 

Today I upgraded to ModSecurity 2.7.1 (built from source), I now get:

-rw------- 1 web_apache_sa clamav 3164 Dec 14 13:31 20121214-133123-UMsqK4veeK0AAAxoz2AAAAAS-file-ICjJbM

 

Thinking this was probably something I’d done wrong (as I’m new to mod_security), I rebuilt mod_security 2.6.8 with exactly the same settings as I’d built 2.7.1, and this results in the files having the file permissions I expected.

 

Does anyone know if this is a bug? The only thing I can find in JIRA is MODSEC-247 , where release 2.6.1 appeared to have this issue, but this was fixed. Or is there some specification change I’ve missed that I should be doing something differently?

 

Thanks for taking the time to read this,

Paul