oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nginx world-readable logdir

From: gremlin () gremlin ru
Date: Fri, 22 Feb 2013 15:46:15 +0400
On 22-Feb-2013 10:49:38 +0200, Henri Salo wrote:


So I think that ${subject} is just a misconfiguration.



Welp I confirmed it on Fedora 16. So at least some things are
affected.



Some distros are affected.


Alas for them... But the solution is simple.


Good to hear not all are.


%install
# ...
mkdir -pm750 %{buildroot}%{_localstatedir}/log/%{name}
touch   %{buildroot}%{_localstatedir}/log/%{name}/access.log \
        %{buildroot}%{_localstatedir}/log/%{name}/error.log

%post
# ...
touch   %{_localstatedir}/log/%{name}/access.log \
        %{_localstatedir}/log/%{name}/error.log
chown -R root:wheel %{_localstatedir}/log/%{name}
chmod 750 %{_localstatedir}/log/%{name}
chmod 640 %{_localstatedir}/log/%{name}/*
# ...

%files
# ...
%ghost %{_localstatedir}/log/%{name}/access.log
%ghost %{_localstatedir}/log/%{name}/error.log

The use of `touch` is preferred as it doesn't trash the existing logs
on package update, and explicit `chmod` and `chown` ensure that their
permissions are correct (Captain Obvious to the rescue, I know).


This is not just misconfiguration.


This issue isn't related to the nginx itself.
However, I'd agree that nginx could use restrictive mode for its' log
files:

diff -burpN nginx-1.2.7.orig/src/core/ngx_log.c nginx-1.2.7/src/core/ngx_log.c
--- nginx-1.2.7.orig/src/core/ngx_log.c 2012-01-18 19:07:43.000000000 +0400
+++ nginx-1.2.7/src/core/ngx_log.c      2013-02-22 15:42:04.000000000 +0400
@@ -325,7 +325,7 @@ ngx_log_init(u_char *prefix)
 
     ngx_log_file.fd = ngx_open_file(name, NGX_FILE_APPEND,
                                     NGX_FILE_CREATE_OR_OPEN,
-                                    NGX_FILE_DEFAULT_ACCESS);
+                                    NGX_FILE_USR_GRP_ACCESS);
 
     if (ngx_log_file.fd == NGX_INVALID_FILE) {
         ngx_log_stderr(ngx_errno,
diff -burpN nginx-1.2.7.orig/src/os/unix/ngx_files.h nginx-1.2.7/src/os/unix/ngx_files.h
--- nginx-1.2.7.orig/src/os/unix/ngx_files.h    2012-03-27 20:42:34.000000000 +0400
+++ nginx-1.2.7/src/os/unix/ngx_files.h 2013-02-22 15:41:22.000000000 +0400
@@ -98,6 +98,7 @@ typedef struct {
 #endif /* NGX_HAVE_OPENAT */
 
 #define NGX_FILE_DEFAULT_ACCESS  0644
+#define NGX_FILE_USR_GRP_ACCESS  0640
 #define NGX_FILE_OWNER_ACCESS    0600



-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Previous By Date Next
Previous By Thread Next

Current thread: