Lines 194-199
Link Here
|
194 |
nginx_modules_http_dav_ext? ( dev-libs/expat )" |
194 |
nginx_modules_http_dav_ext? ( dev-libs/expat )" |
195 |
RDEPEND="${CDEPEND}" |
195 |
RDEPEND="${CDEPEND}" |
196 |
DEPEND="${CDEPEND} |
196 |
DEPEND="${CDEPEND} |
|
|
197 |
sys-apps/coreutils |
197 |
arm? ( dev-libs/libatomic_ops ) |
198 |
arm? ( dev-libs/libatomic_ops ) |
198 |
libatomic? ( dev-libs/libatomic_ops )" |
199 |
libatomic? ( dev-libs/libatomic_ops )" |
199 |
PDEPEND="vim-syntax? ( app-vim/nginx-syntax )" |
200 |
PDEPEND="vim-syntax? ( app-vim/nginx-syntax )" |
Lines 527-549
Link Here
|
527 |
ewarn "NGINX_MODULES_HTTP=\"lua spdy\". For more info, see http://git.io/OldLsg" |
528 |
ewarn "NGINX_MODULES_HTTP=\"lua spdy\". For more info, see http://git.io/OldLsg" |
528 |
fi |
529 |
fi |
529 |
|
530 |
|
530 |
# This is the proper fix for bug #458726/#469094, resp. CVE-2013-0337 for |
531 |
# www-servers/nginx-1.4.1-r2 changed permission/ownership due to |
531 |
# existing installations |
532 |
# CVE-2013-0337. See bug #458726, #469094 and #473036. |
532 |
local fix_perms=0 |
533 |
# |
533 |
|
534 |
# We need to make sure that previous installations aren't affected: |
534 |
for rv in ${REPLACING_VERSIONS} ; do |
535 |
local has_default_permissions=1 |
535 |
version_compare ${rv} 1.4.1-r2 |
536 |
|
536 |
[[ $? -eq 1 ]] && fix_perms=1 |
537 |
local t_permission= |
537 |
done |
538 |
local t_owner= |
538 |
|
539 |
local t_dir="${EPREFIX}/var/log/nginx" |
539 |
if [[ $fix_perms -eq 1 ]] ; then |
540 |
if [ -d ${t_cdir} ]; then |
540 |
ewarn "To fix a security bug (CVE-2013-0337, bug #458726) had the following" |
541 |
t_permission=$(stat --format='%a' "${t_dir}") |
541 |
ewarn "directories the world-readable bit removed (if set):" |
542 |
t_owner=$(stat --format='%U:%G' "${t_dir}") |
542 |
ewarn " ${EPREFIX}/var/log/nginx" |
543 |
|
543 |
ewarn " ${EPREFIX}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}" |
544 |
[ ${t_permission} != '700' ] && has_default_permissions=0 |
544 |
ewarn "Check if this is correct for your setup before restarting nginx!" |
545 |
[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 |
545 |
ewarn "This is a one-time change and will not happen on subsequent updates." |
546 |
fi |
546 |
ewarn "Furthermore nginx' temp directories got moved to ${NGINX_HOME_TMP}" |
547 |
|
547 |
chmod o-rwx "${EPREFIX}"/var/log/nginx "${EPREFIX}/${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} |
548 |
t_permission= |
|
|
549 |
t_owner= |
550 |
t_dir="${EPREFIX}${NGINX_HOME_TMP}" |
551 |
if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then |
552 |
t_permission=$(stat --format='%a' "${t_dir}") |
553 |
t_owner=$(stat --format='%U:%g' "${t_dir}") |
554 |
|
555 |
[ ${t_permission} != '750' ] && has_default_permissions=0 |
556 |
[ ${t_owner} != "${PN}:0" ] && has_default_permissions=0 |
557 |
fi |
558 |
|
559 |
t_permission= |
560 |
t_owner= |
561 |
t_dir="${EPREFIX}${NGINX_HOME_TMP}/client" |
562 |
if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then |
563 |
t_permission=$(stat --format='%a' "${t_dir}") |
564 |
t_owner=$(stat --format='%U:%G' "${t_dir}") |
565 |
|
566 |
[ ${t_permission} != '700' ] && has_default_permissions=0 |
567 |
[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 |
568 |
fi |
569 |
|
570 |
t_permission= |
571 |
t_owner= |
572 |
t_dir="${EPREFIX}${NGINX_HOME_TMP}/proxy" |
573 |
if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then |
574 |
t_permission=$(stat --format='%a' "${t_dir}") |
575 |
t_owner=$(stat --format='%U:%G' "${t_dir}") |
576 |
|
577 |
[ ${t_permission} != '700' ] && has_default_permissions=0 |
578 |
[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 |
579 |
fi |
580 |
|
581 |
t_permission= |
582 |
t_owner= |
583 |
t_dir="${EPREFIX}${NGINX_HOME_TMP}/fastcgi" |
584 |
if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then |
585 |
t_permission=$(stat --format='%a' "${t_dir}") |
586 |
t_owner=$(stat --format='%U:%G' "${t_dir}") |
587 |
|
588 |
[ ${t_permission} != '700' ] && has_default_permissions=0 |
589 |
[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 |
590 |
fi |
591 |
|
592 |
t_permission= |
593 |
t_owner= |
594 |
t_dir="${EPREFIX}${NGINX_HOME_TMP}/scgi" |
595 |
if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then |
596 |
t_permission=$(stat --format='%a' "${t_dir}") |
597 |
t_owner=$(stat --format='%U:%G' "${t_dir}") |
598 |
|
599 |
[ ${t_permission} != '700' ] && has_default_permissions=0 |
600 |
[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 |
601 |
fi |
602 |
|
603 |
t_permission= |
604 |
t_owner= |
605 |
t_dir="${EPREFIX}${NGINX_HOME_TMP}/uwsgi" |
606 |
if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then |
607 |
t_permission=$(stat --format='%a' "${t_dir}") |
608 |
t_owner=$(stat --format='%U:%G' "${t_dir}") |
609 |
|
610 |
[ ${t_permission} != '700' ] && has_default_permissions=0 |
611 |
[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 |
612 |
fi |
613 |
|
614 |
if [ ${has_default_permissions} -ne 1 ]; then |
615 |
# User's nginx permissions differs from default permissions. |
616 |
ewarn "" |
617 |
ewarn "Your nginx permissions differ from the default permissions/ownership" |
618 |
ewarn "this ebuild would set for a fresh installation." |
619 |
ewarn "" |
620 |
ewarn "If you know what you are doing, e.g. you are running a custom setup" |
621 |
ewarn "with custom permissions, you can ignore this warning." |
622 |
ewarn "" |
623 |
ewarn "If you DO NOT run a custom setup this may indicate that your setup" |
624 |
ewarn "is still vulnerable to CVE-2013-0337 or the previous fix did not fixed" |
625 |
ewarn "all permissions. Please read:" |
626 |
ewarn "" |
627 |
ewarn " - https://bugs.gentoo.org/458726" |
628 |
ewarn " - https://bugs.gentoo.org/473036" |
629 |
ewarn "" |
630 |
ewarn "Current nginx default permissions are:" |
631 |
ewarn " rwx------ (700) ${PN}:${PN} ${EPREFIX}/var/log/nginx" |
632 |
ewarn " rwxr-x--- (750) ${PN}:0 ${EPREFIX}${NGINX_HOME_TMP}" |
633 |
ewarn " rwx------ (700) ${PN}:0 ${EPREFIX}${NGINX_HOME_TMP}/{client,proxy,fastcgi,scgi,uwsgi}" |
634 |
ewarn "" |
635 |
ewarn "Again: If you know what you are doing please ignore this warning." |
636 |
ewarn "Everybody else should adjust permissions/ownership using chmod/chown" |
637 |
ewarn "like stated above." |
548 |
fi |
638 |
fi |
549 |
} |
639 |
} |