The fix works only If I'm installing for the first time nginx or If I delete /var/log/nginx. If I have already /var/log/nginx, the permission are the same.
@hollow: for /var/tmp/nginx (which have a similar problem) I would propose to move to /var/lib/nginx (and make this the nginx user's homedir) to follow Fedora, openSUSE and Debian/Ubuntu in packaging standards. We can then set the directory permissions in the ebuild. Agree? @ago: For /var/log/nginx I am still not convinced that it should be done in /etc/init.d/nginx (even with a LOGDIR_PERMS option in /etc/conf.d/nginx to adjust it). But to be able to fix it I thought about using something like this: pkg_postinst() { # fix for CVE- ... if [ ! -e /var/lib/nginx/.logdir-reset-permissions-done ] ; then chmod 0700 /var/log/nginx ewarn "blablabla..." touch /var/lib/nginx/.logdir-reset-permissions-done fi } ... and remove this code after a year or something like that once we can be sure that almost everyone who cares has upgraded. @ago/@hollow: comments?
... even better, use EAPI-4 goodness. Gives the following on a true update: * To fix a security bug (CVE-2013-0337, bug #458726) * permissions on the following directories have been reset to 0700: * /var/log/nginx * /var/lib/nginx/tmp/{,client,proxy,fastcgi,scgi,uwsgi} * Check if this is correct for your setup before restarting nginx! * This is a one-time change and will not happen on subsequent updates. * Furthermore nginx' temp directories got moved to /var/lib/nginx/tmp Objections? (the 'chmod' is --- nginx-1.4.1-r1.ebuild 2013-05-12 16:01:17.000000000 +0200 +++ nginx-1.4.1-r2.ebuild 2013-05-13 11:30:50.000000000 +0200 @@ -90,7 +90,7 @@ HTTP_METRICS_MODULE_URI="https://github.com/madvertise/ngx_metrics/archive/v${HTTP_METRICS_MODULE_PV}.tar.gz" HTTP_METRICS_MODULE_WD="${WORKDIR}/ngx_metrics-${HTTP_METRICS_MODULE_PV}" -inherit eutils ssl-cert toolchain-funcs perl-module flag-o-matic user systemd +inherit eutils ssl-cert toolchain-funcs perl-module flag-o-matic user systemd versionator DESCRIPTION="Robust, small and high performance http and reverse proxy server" HOMEPAGE="http://nginx.org" @@ -178,9 +178,12 @@ nginx_modules_http_lua? ( nginx_modules_http_rewrite )" pkg_setup() { + NGINX_HOME="/var/lib/nginx" + NGINX_HOME_TMP="${NGINX_HOME}/tmp" + ebegin "Creating nginx user and group" enewgroup ${PN} - enewuser ${PN} -1 -1 -1 ${PN} + enewuser ${PN} -1 -1 "${NGINX_HOME}" ${PN} eend $? if use libatomic; then @@ -203,6 +206,8 @@ } src_prepare() { + epatch "${FILESDIR}/${P}-fix-perl-install-path.patch" + if use syslog; then epatch "${SYSLOG_MODULE_WD}"/syslog_${SYSLOG_MODULE_NGINX_PV}.patch fi @@ -352,11 +357,11 @@ --with-cc-opt="-I${EROOT}usr/include" \ --with-ld-opt="-L${EROOT}usr/lib" \ --http-log-path="${EPREFIX}"/var/log/${PN}/access_log \ - --http-client-body-temp-path="${EPREFIX}"/var/tmp/${PN}/client \ - --http-proxy-temp-path="${EPREFIX}"/var/tmp/${PN}/proxy \ - --http-fastcgi-temp-path="${EPREFIX}"/var/tmp/${PN}/fastcgi \ - --http-scgi-temp-path="${EPREFIX}"/var/tmp/${PN}/scgi \ - --http-uwsgi-temp-path="${EPREFIX}"/var/tmp/${PN}/uwsgi \ + --http-client-body-temp-path="${EPREFIX}/${NGINX_HOME_TMP}"/client \ + --http-proxy-temp-path="${EPREFIX}/${NGINX_HOME_TMP}"/proxy \ + --http-fastcgi-temp-path="${EPREFIX}/${NGINX_HOME_TMP}"/fastcgi \ + --http-scgi-temp-path="${EPREFIX}/${NGINX_HOME_TMP}"/scgi \ + --http-uwsgi-temp-path="${EPREFIX}/${NGINX_HOME_TMP}"/uwsgi \ ${myconf} || die "configure failed" } @@ -371,9 +376,8 @@ cp "${FILESDIR}"/nginx.conf "${ED}"/etc/nginx/nginx.conf || die - newinitd "${FILESDIR}"/nginx.initd-r1 nginx + newinitd "${FILESDIR}"/nginx.initd-r2 nginx - systemd_newtmpfilesd "${FILESDIR}"/nginx.tmpfiles-r1 nginx.conf systemd_dounit "${FILESDIR}"/nginx.service doman man/nginx.8 @@ -383,6 +387,10 @@ keepdir /var/www/localhost rm -rf "${D}"/usr/html || die + keepdir /var/log/nginx "${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} + fperms 0700 /var/log/nginx "${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} + fowners ${PN}:${PN} /var/log/nginx "${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} + # logrotate insinto /etc/logrotate.d newins "${FILESDIR}"/nginx.logrotate nginx @@ -451,4 +459,24 @@ ewarn "Lua 3rd party module author warns against using ${P} with" ewarn "NGINX_MODULES_HTTP=\"lua spdy\". For more info, see http://git.io/OldLsg" fi + + # This is the proper fix for bug #458726/#469094, resp. CVE-2013-0337 for + # existing installations + local fix_perms=0 + + for rv in ${REPLACING_VERSIONS} ; do + version_compare ${rv} 1.4.1-r2 + [[ $? -eq 1 ]] && fix_perms=1 + done + + if [[ $fix_perms -eq 1 ]] ; then + ewarn "To fix a security bug (CVE-2013-0337, bug #458726) had the following" + ewarn "directories the world-readable bit removed (if set):" + ewarn " ${EPREFIX}/var/log/nginx" + ewarn " ${EPREFIX}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}" + ewarn "Check if this is correct for your setup before restarting nginx!" + ewarn "This is a one-time change and will not happen on subsequent updates." + ewarn "Furthermore nginx' temp directories got moved to ${NGINX_HOME_TMP}" + chmod o-rwx "${EPREFIX}"/var/log/nginx "${EPREFIX}/${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} + fi }
This is not fine, if the logdir is accidentally removed it fails to start: amd64box ~ # /etc/init.d/nginx restart * Starting nginx ... nginx: [alert] could not open error log file: open() "/var/log/nginx/error_log" failed (2: No such file or directory) 2013/05/13 20:54:33 [emerg] 2248#0: open() "/var/log/nginx/error_log" failed (2: No such file or directory) * start-stop-daemon: failed to start `/usr/sbin/nginx' * Failed to start nginx [ !! ] The init script must check the existence of the logdir. On irc we said to control the permission of the logdir via conf.d/nginx, the default is 750 and who does not like it needs to change it _one_ time.
This is irrelevant. AFAIK according to FHS one can assume content in /var/log/ to be persistent.
The following lines break nginx on SELinux systems, as root is not able to read/write the different folders: keepdir /var/log/nginx "${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} fperms 0700 /var/log/nginx "${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} fowners ${PN}:${PN} /var/log/nginx "${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} Starting the daemon fails with: * Checking nginx' configuration ... nginx: [emerg] mkdir() "//var/lib/nginx/tmp/client" failed (13: Permission denied) nginx: configuration file /etc/nginx/nginx.conf test failed nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: [emerg] mkdir() "//var/lib/nginx/tmp/client" failed (13: Permission denied) nginx: configuration file /etc/nginx/nginx.conf test failed * failed, please correct errors above [ !! ] The avc log stops on a "avc: denied { dac_read_search } for pid=3082 comm="nginx" capability=2 scontext=system_u:system_r:nginx_t tcontext=system_u:system_r:nginx_t tclass=capability" Changing the permissions to nginx:root 0710 on /var/lib/nginx/tmp/ folders seems to be sufficient to fix the issue.
