[mod-security-users] SecChrootDir and uploading files

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

does anybody know about problems with uploading files when using SecChrootD=
ir?

<IfModule mod_security.c>

   SecChrootLock modsec_chroot.lock
   SecChrootDir /usr/chroot/apache

SecFilterEngine DynamicOnly
SecFilterDefaultAction "deny,log,status:403"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat Off
SecFilterCheckUnicodeEncoding Off

# Accept almost all byte values
SecFilterForceByteRange 1 255

SecUploadDir /tmp
SecUploadKeepFiles On

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 9
SecFilterDebugLog /var/log/httpd/modsec_debug_log

# Accept only valid protocol versions, helps
# fight HTTP fingerprinting.
SecFilterSelective SERVER_PROTOCOL !^HTTP/(0\.9|1\.0|1\.1)$

# Require the Host header field to be present.
SecFilterSelective HTTP_Host ^$

# Allow supported request methods only.
SecFilterSelective REQUEST_METHOD !^(GET|HEAD|POST)$

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type \
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

</IfModule>

web3d# pwd
/usr/chroot/apache
web3d# ls -al
total 10
drwxr-xr-x  5 root  wheel  512 Jun  2 10:18 .
drwxr-xr-x  3 root  wheel  512 Jun  1 11:29 ..
drwxrwxrwt  2 root  wheel  512 Jun  3 17:26 tmp
drwxr-xr-x  3 root  wheel  512 Jun  2 10:18 usr
drwxr-xr-x  5 root  wheel  512 Jun  3 17:21 var
web3d# ls -lR var
total 6
drwxr-xr-x  3 root  wheel  512 Jun  3 15:46 log
drwxr-xr-x  2 root  wheel  512 Jun  3 17:55 run
drwxrwxrwt  2 root  wheel  512 Jun  3 17:21 tmp

var/log:
total 2
drwxrwxrwt  2 root  wheel  512 Jun  3 15:46 httpd

var/log/httpd:
total 0

var/run:
total 0
-rw-------  1 root  wheel  0 Jun  3 17:55 httpd.lock.1236

var/tmp:
total 0
web3d#

script which uploads files on server:
web3d# cat temp.php

<form action=3D'temp.php' method=3D"post">
<input type=3Dfile name=3Df >
<br>
<?
print_r($HTTP_POST_FILES );
?>
<br>
<input type=3Dhidden value=3D'hid'>
<input type=3Dsubmit>
web3d#

and all the time $HTTP_POST_FILES  shows me:
Array ( )

TIA,
p.