Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
View | Details | Raw Unified | Return to bug 473036
Collapse All | Expand All

(-)nginx-1.4.1-r5.ebuild.old (-18 / +108 lines)
Lines 194-199 Link Here
194
	nginx_modules_http_dav_ext? ( dev-libs/expat )"
194
	nginx_modules_http_dav_ext? ( dev-libs/expat )"
195
RDEPEND="${CDEPEND}"
195
RDEPEND="${CDEPEND}"
196
DEPEND="${CDEPEND}
196
DEPEND="${CDEPEND}
197
	sys-apps/coreutils
197
	arm? ( dev-libs/libatomic_ops )
198
	arm? ( dev-libs/libatomic_ops )
198
	libatomic? ( dev-libs/libatomic_ops )"
199
	libatomic? ( dev-libs/libatomic_ops )"
199
PDEPEND="vim-syntax? ( app-vim/nginx-syntax )"
200
PDEPEND="vim-syntax? ( app-vim/nginx-syntax )"
Lines 527-549 Link Here
527
		ewarn "NGINX_MODULES_HTTP=\"lua spdy\". For more info, see http://git.io/OldLsg"
528
		ewarn "NGINX_MODULES_HTTP=\"lua spdy\". For more info, see http://git.io/OldLsg"
528
	fi
529
	fi
529
530
530
	# This is the proper fix for bug #458726/#469094, resp. CVE-2013-0337 for
531
	# www-servers/nginx-1.4.1-r2 changed permission/ownership due to
531
	# existing installations
532
	# CVE-2013-0337. See bug #458726, #469094 and #473036.
532
	local fix_perms=0
533
	# 
533
534
	# We need to make sure that previous installations aren't affected:
534
	for rv in ${REPLACING_VERSIONS} ; do
535
	local has_default_permissions=1
535
		version_compare ${rv} 1.4.1-r2
536
536
		[[ $? -eq 1 ]] && fix_perms=1
537
	local t_permission=
537
	done
538
	local t_owner=
538
539
	local t_dir="${EPREFIX}/var/log/nginx"
539
	if [[ $fix_perms -eq 1 ]] ; then
540
	if [ -d ${t_cdir} ]; then
540
		ewarn "To fix a security bug (CVE-2013-0337, bug #458726) had the following"
541
		t_permission=$(stat --format='%a' "${t_dir}")
541
		ewarn "directories the world-readable bit removed (if set):"
542
		     t_owner=$(stat --format='%U:%G' "${t_dir}")
542
		ewarn "  ${EPREFIX}/var/log/nginx"
543
		
543
		ewarn "  ${EPREFIX}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}"
544
		[ ${t_permission} != '700' ] && has_default_permissions=0
544
		ewarn "Check if this is correct for your setup before restarting nginx!"
545
		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
545
		ewarn "This is a one-time change and will not happen on subsequent updates."
546
	fi
546
		ewarn "Furthermore nginx' temp directories got moved to ${NGINX_HOME_TMP}"
547
547
		chmod o-rwx "${EPREFIX}"/var/log/nginx "${EPREFIX}/${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi}
548
	t_permission=
549
	t_owner=
550
	t_dir="${EPREFIX}${NGINX_HOME_TMP}"
551
	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
552
		t_permission=$(stat --format='%a' "${t_dir}")
553
		     t_owner=$(stat --format='%U:%g' "${t_dir}")
554
		
555
		[ ${t_permission} != '750' ] && has_default_permissions=0
556
		[ ${t_owner} != "${PN}:0" ] && has_default_permissions=0
557
	fi
558
559
	t_permission=
560
	t_owner=
561
	t_dir="${EPREFIX}${NGINX_HOME_TMP}/client"
562
	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
563
		t_permission=$(stat --format='%a' "${t_dir}")
564
		     t_owner=$(stat --format='%U:%G' "${t_dir}")
565
		
566
		[ ${t_permission} != '700' ] && has_default_permissions=0
567
		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
568
	fi
569
570
	t_permission=
571
	t_owner=
572
	t_dir="${EPREFIX}${NGINX_HOME_TMP}/proxy"
573
	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
574
		t_permission=$(stat --format='%a' "${t_dir}")
575
		     t_owner=$(stat --format='%U:%G' "${t_dir}")
576
		
577
		[ ${t_permission} != '700' ] && has_default_permissions=0
578
		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
579
	fi
580
581
	t_permission=
582
	t_owner=
583
	t_dir="${EPREFIX}${NGINX_HOME_TMP}/fastcgi"
584
	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
585
		t_permission=$(stat --format='%a' "${t_dir}")
586
		     t_owner=$(stat --format='%U:%G' "${t_dir}")
587
		
588
		[ ${t_permission} != '700' ] && has_default_permissions=0
589
		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
590
	fi
591
592
	t_permission=
593
	t_owner=
594
	t_dir="${EPREFIX}${NGINX_HOME_TMP}/scgi"
595
	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
596
		t_permission=$(stat --format='%a' "${t_dir}")
597
		     t_owner=$(stat --format='%U:%G' "${t_dir}")
598
		
599
		[ ${t_permission} != '700' ] && has_default_permissions=0
600
		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
601
	fi
602
603
	t_permission=
604
	t_owner=
605
	t_dir="${EPREFIX}${NGINX_HOME_TMP}/uwsgi"
606
	if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then
607
		t_permission=$(stat --format='%a' "${t_dir}")
608
		     t_owner=$(stat --format='%U:%G' "${t_dir}")
609
		
610
		[ ${t_permission} != '700' ] && has_default_permissions=0
611
		[ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0
612
	fi
613
614
	if [ ${has_default_permissions} -ne 1 ]; then
615
		# User's nginx permissions differs from default permissions.
616
		ewarn ""
617
		ewarn "Your nginx permissions differ from the default permissions/ownership"
618
		ewarn "this ebuild would set for a fresh installation."
619
		ewarn ""
620
		ewarn "If you know what you are doing, e.g. you are running a custom setup"
621
		ewarn "with custom permissions, you can ignore this warning."
622
		ewarn ""
623
		ewarn "If you DO NOT run a custom setup this may indicate that your setup"
624
		ewarn "is still vulnerable to CVE-2013-0337 or the previous fix did not fixed"
625
		ewarn "all permissions. Please read:"
626
		ewarn ""
627
		ewarn "  - https://bugs.gentoo.org/458726"
628
		ewarn "  - https://bugs.gentoo.org/473036"
629
		ewarn ""
630
		ewarn "Current nginx default permissions are:"
631
		ewarn "  rwx------ (700) ${PN}:${PN} ${EPREFIX}/var/log/nginx"
632
		ewarn "  rwxr-x--- (750) ${PN}:0     ${EPREFIX}${NGINX_HOME_TMP}"
633
		ewarn "  rwx------ (700) ${PN}:0     ${EPREFIX}${NGINX_HOME_TMP}/{client,proxy,fastcgi,scgi,uwsgi}"
634
		ewarn ""
635
		ewarn "Again: If you know what you are doing please ignore this warning."
636
		ewarn "Everybody else should adjust permissions/ownership using chmod/chown"
637
		ewarn "like stated above."
548
	fi
638
	fi
549
}
639
}

Return to bug 473036