Hi Breno, hmm that’s strange. Could you try with a user who is not nobody? Are you trying this with the 2.7.5 beta? I think we’re still on 2.7.3. I’m not sure if that could be affecting things?


I’m definitely not the only one with this problem: see https://www.atomicorp.com/wiki/index.php/Atomicorp_WAF_Rules_Troubleshooting#Failed_to_create_subdirectories

According to AtomiCorp it’s impossible to do this, they claim it’s a bug in mod_ruid2.


I have tried this on at least 3 different servers, I’ve not been able to make it work on any, and I’ve spent many hours trying. As I mentioned before, since Modsecurity is being packaged up by EasyApache, I don’t have documentation on how to upgrade outside of that ecosystem.


I see that Modsecurity 2.7.4 is available in EasyApache now but upgrading involves a recompile of the whole of Apache which takes a while and isn’t something I can do on production servers at will!


Unfortunately (or fortunately, depending on how you see it!), I’ve got to drop this now to wrap up other work before I go on holiday tomorrow. I’m afraid I’ll have to pick this up again after the 15th August. Many thanks for your help up until now, it’s much appreciated! When I get back I’m happy to spin up a development server and give you root access so that we can try and narrow this down.


Regards, Ben


From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: 25 July 2013 14:07
To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2


Hello Ben,


I think it it working. Now i set two vhosts one for user: brenosilva and one for user : nobody

Then i submit two requests:


root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/*

total 16

196266 4 drwxrwxrwx 2 nobody     www-data 4096 2013-07-25 05:02 .

196265 4 drwxrwxrwx 3 nobody     www-data 4096 2013-07-25 05:02 ..

142051 4 -rwxrwxrwx 1 nobody     www-data 1658 2013-07-25 05:02 20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD

172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA


root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130725/20130725-0502/20130725-0502*

142051 4 -rwxrwxrwx 1 nobody     www-data 1658 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050221-UfETzcCoAGcAAAHtLL4AAAAD

172487 4 -rwxrwxrwx 1 brenosilva www-data 1753 2013-07-25 05:02 /var/log/apache2/20130725/20130725-0502/20130725-050237-UfET3cCoAGcAAAHtLL8AAAAA


Audit log files were create for both users. No permission denied errors. Can you tru reproduce at least this test?




On Thu, Jul 25, 2013 at 4:53 AM, Ben Empson <ben@arrayx.co.uk> wrote:

Hi Breno, here’s my configs:



<IfModule mod_ruid2.c>

    RMode config

    RDefaultUidGid nobody nobody

    RUidGid nobody nobody




Every virtual host has the following block (obviously with the actual user / group). User and group always have the same name which is the cPanel account name:

<IfModule mod_ruid2.c>

        RMode config

        RUidGid {user} {group}




SecPcreMatchLimit 50000

SecPcreMatchLimitRecursion 50000

SecAuditLogType Concurrent

SecRequestBodyAccess On

SecResponseBodyAccess On

SecResponseBodyMimeType (null) text/html text/plain text/xml

SecResponseBodyLimit 20621440

SecAuditLogRelevantStatus "^(?:5|4(?!04))"

SecServerSignature Apache

SecUploadDir /var/asl/data/suspicious

SecUploadKeepFiles Off

SecAuditLogParts ABIFHZ

SecArgumentSeparator "&"

SecCookieFormat 0

SecRequestBodyLimit 20621440

SecRequestBodyInMemoryLimit 2062144

SecDataDir /var/asl/data/msa

SecTmpDir /tmp

SecAuditLogStorageDir /var/asl/data/audit

SecResponseBodyLimitAction ProcessPartial


SecAuditLogDirMode 0777

SecAuditLogFileMode 0777


Include /usr/local/apache/conf/modsec_rules/*asl*.conf

Include /usr/local/apache/conf/modsec2.whitelist.conf #this file is empty



I’m not sure you’re testing the same thing as me. You will need to have at least 2 virtual hosts, and you will need to call them in such a way that ModSecurity will generate an audit log in the same minute. It’s only under these conditions that the permissions problem arises, otherwise new directories and logs are simply created by a single user and there’s no problem. Obviously on a busy server these conditions are easily met.


From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: 24 July 2013 20:17

To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2


Hello Ben,


This is what i'm trying to do as a test. Let me know if the config is similar is your side:



Rmode config

RuidGid www-data www-data

Rgroups brenosilva



RuidGid brenosilva www-data


RuidGid www-data www-data



SecAuditLogDirMode 0777

SecAuditLogFileMode 0777

SecAuditLogStorageDir /var/log/apache2


then i set umask 000 during apache runtime


ls -lisa /var/log/apache2/*

196265 4 drwxrwxrwx 4 brenosilva www-data 4096 2013-07-22 23:25 .

188049 4 drwxrwxrwx 3 root       root     4096 2013-07-22 23:24 ..

196266 4 drwxrwxrwx 2 brenosilva www-data 4096 2013-07-22 23:24 20130722-2324

196267 4 drwxrwxrwx 2 www-data   www-data 4096 2013-07-22 23:25 20130722-2325


No more permission denied errors. For sure 777 is not the best solution :) .... but i think is possible to do the same concept using 770 permission.