| Summary: | www-servers/nginx-1.4.1-r1 : the fix for the world rebable logdir works partially | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Agostino Sarubbo <ago> |
| Component: | [OLD] Server | Assignee: | Tiziano Müller (RETIRED) <dev-zero> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | gentoo, hollow |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Agostino Sarubbo
2013-05-08 18:16:38 UTC
@hollow: for /var/tmp/nginx (which have a similar problem) I would propose to move to /var/lib/nginx (and make this the nginx user's homedir) to follow Fedora, openSUSE and Debian/Ubuntu in packaging standards. We can then set the directory permissions in the ebuild. Agree?
@ago: For /var/log/nginx I am still not convinced that it should be done in /etc/init.d/nginx (even with a LOGDIR_PERMS option in /etc/conf.d/nginx to adjust it). But to be able to fix it I thought about using something like this:
pkg_postinst() {
# fix for CVE- ...
if [ ! -e /var/lib/nginx/.logdir-reset-permissions-done ] ; then
chmod 0700 /var/log/nginx
ewarn "blablabla..."
touch /var/lib/nginx/.logdir-reset-permissions-done
fi
}
... and remove this code after a year or something like that once we can be sure that almost everyone who cares has upgraded.
@ago/@hollow: comments?
... even better, use EAPI-4 goodness. Gives the following on a true update: * To fix a security bug (CVE-2013-0337, bug #458726) * permissions on the following directories have been reset to 0700: * /var/log/nginx * /var/lib/nginx/tmp/{,client,proxy,fastcgi,scgi,uwsgi} * Check if this is correct for your setup before restarting nginx! * This is a one-time change and will not happen on subsequent updates. * Furthermore nginx' temp directories got moved to /var/lib/nginx/tmp Objections? (the 'chmod' is --- nginx-1.4.1-r1.ebuild 2013-05-12 16:01:17.000000000 +0200 +++ nginx-1.4.1-r2.ebuild 2013-05-13 11:30:50.000000000 +0200 @@ -90,7 +90,7 @@ HTTP_METRICS_MODULE_URI="https://github.com/madvertise/ngx_metrics/archive/v${HTTP_METRICS_MODULE_PV}.tar.gz" HTTP_METRICS_MODULE_WD="${WORKDIR}/ngx_metrics-${HTTP_METRICS_MODULE_PV}" -inherit eutils ssl-cert toolchain-funcs perl-module flag-o-matic user systemd +inherit eutils ssl-cert toolchain-funcs perl-module flag-o-matic user systemd versionator DESCRIPTION="Robust, small and high performance http and reverse proxy server" HOMEPAGE="http://nginx.org" @@ -178,9 +178,12 @@ nginx_modules_http_lua? ( nginx_modules_http_rewrite )" pkg_setup() { + NGINX_HOME="/var/lib/nginx" + NGINX_HOME_TMP="${NGINX_HOME}/tmp" + ebegin "Creating nginx user and group" enewgroup ${PN} - enewuser ${PN} -1 -1 -1 ${PN} + enewuser ${PN} -1 -1 "${NGINX_HOME}" ${PN} eend $? if use libatomic; then @@ -203,6 +206,8 @@ } src_prepare() { + epatch "${FILESDIR}/${P}-fix-perl-install-path.patch" + if use syslog; then epatch "${SYSLOG_MODULE_WD}"/syslog_${SYSLOG_MODULE_NGINX_PV}.patch fi @@ -352,11 +357,11 @@ --with-cc-opt="-I${EROOT}usr/include" \ --with-ld-opt="-L${EROOT}usr/lib" \ --http-log-path="${EPREFIX}"/var/log/${PN}/access_log \ - --http-client-body-temp-path="${EPREFIX}"/var/tmp/${PN}/client \ - --http-proxy-temp-path="${EPREFIX}"/var/tmp/${PN}/proxy \ - --http-fastcgi-temp-path="${EPREFIX}"/var/tmp/${PN}/fastcgi \ - --http-scgi-temp-path="${EPREFIX}"/var/tmp/${PN}/scgi \ - --http-uwsgi-temp-path="${EPREFIX}"/var/tmp/${PN}/uwsgi \ + --http-client-body-temp-path="${EPREFIX}/${NGINX_HOME_TMP}"/client \ + --http-proxy-temp-path="${EPREFIX}/${NGINX_HOME_TMP}"/proxy \ + --http-fastcgi-temp-path="${EPREFIX}/${NGINX_HOME_TMP}"/fastcgi \ + --http-scgi-temp-path="${EPREFIX}/${NGINX_HOME_TMP}"/scgi \ + --http-uwsgi-temp-path="${EPREFIX}/${NGINX_HOME_TMP}"/uwsgi \ ${myconf} || die "configure failed" } @@ -371,9 +376,8 @@ cp "${FILESDIR}"/nginx.conf "${ED}"/etc/nginx/nginx.conf || die - newinitd "${FILESDIR}"/nginx.initd-r1 nginx + newinitd "${FILESDIR}"/nginx.initd-r2 nginx - systemd_newtmpfilesd "${FILESDIR}"/nginx.tmpfiles-r1 nginx.conf systemd_dounit "${FILESDIR}"/nginx.service doman man/nginx.8 @@ -383,6 +387,10 @@ keepdir /var/www/localhost rm -rf "${D}"/usr/html || die + keepdir /var/log/nginx "${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} + fperms 0700 /var/log/nginx "${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} + fowners ${PN}:${PN} /var/log/nginx "${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} + # logrotate insinto /etc/logrotate.d newins "${FILESDIR}"/nginx.logrotate nginx @@ -451,4 +459,24 @@ ewarn "Lua 3rd party module author warns against using ${P} with" ewarn "NGINX_MODULES_HTTP=\"lua spdy\". For more info, see http://git.io/OldLsg" fi + + # This is the proper fix for bug #458726/#469094, resp. CVE-2013-0337 for + # existing installations + local fix_perms=0 + + for rv in ${REPLACING_VERSIONS} ; do + version_compare ${rv} 1.4.1-r2 + [[ $? -eq 1 ]] && fix_perms=1 + done + + if [[ $fix_perms -eq 1 ]] ; then + ewarn "To fix a security bug (CVE-2013-0337, bug #458726) had the following" + ewarn "directories the world-readable bit removed (if set):" + ewarn " ${EPREFIX}/var/log/nginx" + ewarn " ${EPREFIX}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}" + ewarn "Check if this is correct for your setup before restarting nginx!" + ewarn "This is a one-time change and will not happen on subsequent updates." + ewarn "Furthermore nginx' temp directories got moved to ${NGINX_HOME_TMP}" + chmod o-rwx "${EPREFIX}"/var/log/nginx "${EPREFIX}/${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} + fi } This is not fine, if the logdir is accidentally removed it fails to start: amd64box ~ # /etc/init.d/nginx restart * Starting nginx ... nginx: [alert] could not open error log file: open() "/var/log/nginx/error_log" failed (2: No such file or directory) 2013/05/13 20:54:33 [emerg] 2248#0: open() "/var/log/nginx/error_log" failed (2: No such file or directory) * start-stop-daemon: failed to start `/usr/sbin/nginx' * Failed to start nginx [ !! ] The init script must check the existence of the logdir. On irc we said to control the permission of the logdir via conf.d/nginx, the default is 750 and who does not like it needs to change it _one_ time. This is irrelevant. AFAIK according to FHS one can assume content in /var/log/ to be persistent. The following lines break nginx on SELinux systems, as root is not able to read/write the different folders:
keepdir /var/log/nginx "${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi}
fperms 0700 /var/log/nginx "${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi}
fowners ${PN}:${PN} /var/log/nginx "${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi}
Starting the daemon fails with:
* Checking nginx' configuration ...
nginx: [emerg] mkdir() "//var/lib/nginx/tmp/client" failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] mkdir() "//var/lib/nginx/tmp/client" failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed
* failed, please correct errors above [ !! ]
The avc log stops on a "avc: denied { dac_read_search } for pid=3082 comm="nginx" capability=2 scontext=system_u:system_r:nginx_t tcontext=system_u:system_r:nginx_t tclass=capability"
Changing the permissions to nginx:root 0710 on /var/lib/nginx/tmp/ folders seems to be sufficient to fix the issue.
|