Attachment #359510 for bug #473036

View | Details | Raw Unified | Return to bug 473036
Collapse All | Expand All




	nginx_modules_http_dav_ext? ( dev-libs/expat )"
RDEPEND="${CDEPEND}"
DEPEND="${CDEPEND}
	sys-apps/coreutils
	arm? ( dev-libs/libatomic_ops )
	libatomic? ( dev-libs/libatomic_ops )"
PDEPEND="vim-syntax? ( app-vim/nginx-syntax )"

		ewarn "NGINX_MODULES_HTTP=\"lua spdy\". For more info, see http://git.io/OldLsg"
	fi

	# www-servers/nginx-1.4.1-r2 changed permission/ownership due to
	# CVE-2013-0337. See bug #458726, #469094 and #473036.
	# 
	# We need to make sure that previous installations aren't affected:
	local has_default_permissions=1

	local t_permission=
	local t_owner=
	local t_dir="${EPREFIX}/var/log/nginx"
	if [ -d ${t_cdir} ]; then
		t_permission=$(stat --format='%a' "${t_dir}")
		     t_owner=$(stat --format='%U:%G' "${t_dir}")
		
		[ ${t_permission} != '700' ] && has_default_permissions=0
		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
	fi

	t_permission=
	t_owner=
	t_dir="${EPREFIX}${NGINX_HOME_TMP}"
	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
		t_permission=$(stat --format='%a' "${t_dir}")
		     t_owner=$(stat --format='%U:%g' "${t_dir}")
		
		[ ${t_permission} != '750' ] && has_default_permissions=0
		[ ${t_owner} != "${PN}:0" ] && has_default_permissions=0
	fi

	t_permission=
	t_owner=
	t_dir="${EPREFIX}${NGINX_HOME_TMP}/client"
	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
		t_permission=$(stat --format='%a' "${t_dir}")
		     t_owner=$(stat --format='%U:%G' "${t_dir}")
		
		[ ${t_permission} != '700' ] && has_default_permissions=0
		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
	fi

	t_permission=
	t_owner=
	t_dir="${EPREFIX}${NGINX_HOME_TMP}/proxy"
	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
		t_permission=$(stat --format='%a' "${t_dir}")
		     t_owner=$(stat --format='%U:%G' "${t_dir}")
		
		[ ${t_permission} != '700' ] && has_default_permissions=0
		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
	fi

	t_permission=
	t_owner=
	t_dir="${EPREFIX}${NGINX_HOME_TMP}/fastcgi"
	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
		t_permission=$(stat --format='%a' "${t_dir}")
		     t_owner=$(stat --format='%U:%G' "${t_dir}")
		
		[ ${t_permission} != '700' ] && has_default_permissions=0
		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
	fi

	t_permission=
	t_owner=
	t_dir="${EPREFIX}${NGINX_HOME_TMP}/scgi"
	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
		t_permission=$(stat --format='%a' "${t_dir}")
		     t_owner=$(stat --format='%U:%G' "${t_dir}")
		
		[ ${t_permission} != '700' ] && has_default_permissions=0
		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
	fi

	t_permission=
	t_owner=
	t_dir="${EPREFIX}${NGINX_HOME_TMP}/uwsgi"
	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
		t_permission=$(stat --format='%a' "${t_dir}")
		     t_owner=$(stat --format='%U:%G' "${t_dir}")
		
		[ ${t_permission} != '700' ] && has_default_permissions=0
		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
	fi

	if [ ${has_default_permissions} -ne 1 ]; then
		# User's nginx permissions differs from default permissions.
		ewarn ""
		ewarn "Your nginx permissions differ from the default permissions/ownership"
		ewarn "this ebuild would set for a fresh installation."
		ewarn ""
		ewarn "If you know what you are doing, e.g. you are running a custom setup"
		ewarn "with custom permissions, you can ignore this warning."
		ewarn ""
		ewarn "If you DO NOT run a custom setup this may indicate that your setup"
		ewarn "is still vulnerable to CVE-2013-0337 or the previous fix did not fixed"
		ewarn "all permissions. Please read:"
		ewarn ""
		ewarn "  - https://bugs.gentoo.org/458726"
		ewarn "  - https://bugs.gentoo.org/473036"
		ewarn ""
		ewarn "Current nginx default permissions are:"
		ewarn "  rwx------ (700) ${PN}:${PN} ${EPREFIX}/var/log/nginx"
		ewarn "  rwxr-x--- (750) ${PN}:0     ${EPREFIX}${NGINX_HOME_TMP}"
		ewarn "  rwx------ (700) ${PN}:0     ${EPREFIX}${NGINX_HOME_TMP}/{client,proxy,fastcgi,scgi,uwsgi}"
		ewarn ""
		ewarn "Again: If you know what you are doing please ignore this warning."
		ewarn "Everybody else should adjust permissions/ownership using chmod/chown"
		ewarn "like stated above."
	fi
}

Return to bug 473036

Lines 194-199 Link Here

(-)nginx-1.4.1-r5.ebuild.old (-18 / +108 lines)
194	nginx_modules_http_dav_ext? ( dev-libs/expat )"	194	nginx_modules_http_dav_ext? ( dev-libs/expat )"
195	RDEPEND="${CDEPEND}"	195	RDEPEND="${CDEPEND}"
196	DEPEND="${CDEPEND}	196	DEPEND="${CDEPEND}
		197	sys-apps/coreutils
197	arm? ( dev-libs/libatomic_ops )	198	arm? ( dev-libs/libatomic_ops )
198	libatomic? ( dev-libs/libatomic_ops )"	199	libatomic? ( dev-libs/libatomic_ops )"
199	PDEPEND="vim-syntax? ( app-vim/nginx-syntax )"	200	PDEPEND="vim-syntax? ( app-vim/nginx-syntax )"
Lines 527-549 Link Here
527	ewarn "NGINX_MODULES_HTTP=\"lua spdy\". For more info, see http://git.io/OldLsg"	528	ewarn "NGINX_MODULES_HTTP=\"lua spdy\". For more info, see http://git.io/OldLsg"
528	fi	529	fi
529		530
530	# This is the proper fix for bug #458726/#469094, resp. CVE-2013-0337 for	531	# www-servers/nginx-1.4.1-r2 changed permission/ownership due to
531	# existing installations	532	# CVE-2013-0337. See bug #458726, #469094 and #473036.
532	local fix_perms=0	533	#
533		534	# We need to make sure that previous installations aren't affected:
534	for rv in ${REPLACING_VERSIONS} ; do	535	local has_default_permissions=1
535	version_compare ${rv} 1.4.1-r2	536
536	[[ $? -eq 1 ]] && fix_perms=1	537	local t_permission=
537	done	538	local t_owner=
538		539	local t_dir="${EPREFIX}/var/log/nginx"
539	if [[ $fix_perms -eq 1 ]] ; then	540	if [ -d ${t_cdir} ]; then
540	ewarn "To fix a security bug (CVE-2013-0337, bug #458726) had the following"	541	t_permission=$(stat --format='%a' "${t_dir}")
541	ewarn "directories the world-readable bit removed (if set):"	542	t_owner=$(stat --format='%U:%G' "${t_dir}")
542	ewarn " ${EPREFIX}/var/log/nginx"	543
543	ewarn " ${EPREFIX}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}"	544	[ ${t_permission} != '700' ] && has_default_permissions=0
544	ewarn "Check if this is correct for your setup before restarting nginx!"	545	[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
545	ewarn "This is a one-time change and will not happen on subsequent updates."	546	fi
546	ewarn "Furthermore nginx' temp directories got moved to ${NGINX_HOME_TMP}"	547
547	chmod o-rwx "${EPREFIX}"/var/log/nginx "${EPREFIX}/${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi}	548	t_permission=
		549	t_owner=
		550	t_dir="${EPREFIX}${NGINX_HOME_TMP}"
		551	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
		552	t_permission=$(stat --format='%a' "${t_dir}")
		553	t_owner=$(stat --format='%U:%g' "${t_dir}")
		554
		555	[ ${t_permission} != '750' ] && has_default_permissions=0
		556	[ ${t_owner} != "${PN}:0" ] && has_default_permissions=0
		557	fi
		558
		559	t_permission=
		560	t_owner=
		561	t_dir="${EPREFIX}${NGINX_HOME_TMP}/client"
		562	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
		563	t_permission=$(stat --format='%a' "${t_dir}")
		564	t_owner=$(stat --format='%U:%G' "${t_dir}")
		565
		566	[ ${t_permission} != '700' ] && has_default_permissions=0
		567	[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
		568	fi
		569
		570	t_permission=
		571	t_owner=
		572	t_dir="${EPREFIX}${NGINX_HOME_TMP}/proxy"
		573	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
		574	t_permission=$(stat --format='%a' "${t_dir}")
		575	t_owner=$(stat --format='%U:%G' "${t_dir}")
		576
		577	[ ${t_permission} != '700' ] && has_default_permissions=0
		578	[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
		579	fi
		580
		581	t_permission=
		582	t_owner=
		583	t_dir="${EPREFIX}${NGINX_HOME_TMP}/fastcgi"
		584	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
		585	t_permission=$(stat --format='%a' "${t_dir}")
		586	t_owner=$(stat --format='%U:%G' "${t_dir}")
		587
		588	[ ${t_permission} != '700' ] && has_default_permissions=0
		589	[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
		590	fi
		591
		592	t_permission=
		593	t_owner=
		594	t_dir="${EPREFIX}${NGINX_HOME_TMP}/scgi"
		595	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
		596	t_permission=$(stat --format='%a' "${t_dir}")
		597	t_owner=$(stat --format='%U:%G' "${t_dir}")
		598
		599	[ ${t_permission} != '700' ] && has_default_permissions=0
		600	[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
		601	fi
		602
		603	t_permission=
		604	t_owner=
		605	t_dir="${EPREFIX}${NGINX_HOME_TMP}/uwsgi"
		606	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
		607	t_permission=$(stat --format='%a' "${t_dir}")
		608	t_owner=$(stat --format='%U:%G' "${t_dir}")
		609
		610	[ ${t_permission} != '700' ] && has_default_permissions=0
		611	[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
		612	fi
613
614	if [ ${has_default_permissions} -ne 1 ]; then
615	# User's nginx permissions differs from default permissions.
616	ewarn ""
617	ewarn "Your nginx permissions differ from the default permissions/ownership"
618	ewarn "this ebuild would set for a fresh installation."
619	ewarn ""
620	ewarn "If you know what you are doing, e.g. you are running a custom setup"
621	ewarn "with custom permissions, you can ignore this warning."
622	ewarn ""
623	ewarn "If you DO NOT run a custom setup this may indicate that your setup"
624	ewarn "is still vulnerable to CVE-2013-0337 or the previous fix did not fixed"
625	ewarn "all permissions. Please read:"
626	ewarn ""
627	ewarn " - https://bugs.gentoo.org/458726"
628	ewarn " - https://bugs.gentoo.org/473036"
629	ewarn ""
630	ewarn "Current nginx default permissions are:"
631	ewarn " rwx------ (700) ${PN}:${PN} ${EPREFIX}/var/log/nginx"
632	ewarn " rwxr-x--- (750) ${PN}:0 ${EPREFIX}${NGINX_HOME_TMP}"
633	ewarn " rwx------ (700) ${PN}:0 ${EPREFIX}${NGINX_HOME_TMP}/{client,proxy,fastcgi,scgi,uwsgi}"
634	ewarn ""
635	ewarn "Again: If you know what you are doing please ignore this warning."
636	ewarn "Everybody else should adjust permissions/ownership using chmod/chown"
637	ewarn "like stated above."
548	fi	638	fi
549	}	639	}