SecUploadFileMode in modsecurity 2.7.x is broken. However it is already fixed for 2.7.2.



On Fri, Dec 14, 2012 at 7:56 AM, Paul Beckett (ITCS) <> wrote:

In my mod-security config, I am setting the file mode as follows:

SecUploadFileMode 0640

This worked fine for me in ModSecurity 2.6.8, giving the expected permission set:

-rw-r----- 1 web_apache_sa clamav 3164 Dec 14 13:47 20121214-134722-UMst6oveeK0AAB22NP0AAADI-file-OhLOox

Today I upgraded to ModSecurity 2.7.1 (built from source), I now get:

-rw------- 1 web_apache_sa clamav 3164 Dec 14 13:31 20121214-133123-UMsqK4veeK0AAAxoz2AAAAAS-file-ICjJbM

Thinking this was probably something Id done wrong (as Im new to mod_security), I rebuilt mod_security 2.6.8 with exactly the same settings as Id built 2.7.1, and this results in the files having the file permissions I expected.

Does anyone know if this is a bug? The only thing I can find in JIRA is MODSEC-247 , where release 2.6.1 appeared to have this issue, but this was fixed. Or is there some specification change Ive missed that I should be doing something differently?

Thanks for taking the time to read this,


LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: