--- nginx-1.4.1-r5.ebuild.old 2013-09-25 18:28:27.000000000 +0200 +++ nginx-1.4.1-r5.ebuild.old 2013-09-26 11:05:37.000000000 +0200 @@ -194,6 +194,7 @@ nginx_modules_http_dav_ext? ( dev-libs/expat )" RDEPEND="${CDEPEND}" DEPEND="${CDEPEND} + sys-apps/coreutils arm? ( dev-libs/libatomic_ops ) libatomic? ( dev-libs/libatomic_ops )" PDEPEND="vim-syntax? ( app-vim/nginx-syntax )" @@ -527,23 +528,112 @@ ewarn "NGINX_MODULES_HTTP=\"lua spdy\". For more info, see http://git.io/OldLsg" fi - # This is the proper fix for bug #458726/#469094, resp. CVE-2013-0337 for - # existing installations - local fix_perms=0 - - for rv in ${REPLACING_VERSIONS} ; do - version_compare ${rv} 1.4.1-r2 - [[ $? -eq 1 ]] && fix_perms=1 - done - - if [[ $fix_perms -eq 1 ]] ; then - ewarn "To fix a security bug (CVE-2013-0337, bug #458726) had the following" - ewarn "directories the world-readable bit removed (if set):" - ewarn " ${EPREFIX}/var/log/nginx" - ewarn " ${EPREFIX}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}" - ewarn "Check if this is correct for your setup before restarting nginx!" - ewarn "This is a one-time change and will not happen on subsequent updates." - ewarn "Furthermore nginx' temp directories got moved to ${NGINX_HOME_TMP}" - chmod o-rwx "${EPREFIX}"/var/log/nginx "${EPREFIX}/${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} + # www-servers/nginx-1.4.1-r2 changed permission/ownership due to + # CVE-2013-0337. See bug #458726, #469094 and #473036. + # + # We need to make sure that previous installations aren't affected: + local has_default_permissions=1 + + local t_permission= + local t_owner= + local t_dir="${EPREFIX}/var/log/nginx" + if [ -d ${t_cdir} ]; then + t_permission=$(stat --format='%a' "${t_dir}") + t_owner=$(stat --format='%U:%G' "${t_dir}") + + [ ${t_permission} != '700' ] && has_default_permissions=0 + [ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 + fi + + t_permission= + t_owner= + t_dir="${EPREFIX}${NGINX_HOME_TMP}" + if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then + t_permission=$(stat --format='%a' "${t_dir}") + t_owner=$(stat --format='%U:%g' "${t_dir}") + + [ ${t_permission} != '750' ] && has_default_permissions=0 + [ ${t_owner} != "${PN}:0" ] && has_default_permissions=0 + fi + + t_permission= + t_owner= + t_dir="${EPREFIX}${NGINX_HOME_TMP}/client" + if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then + t_permission=$(stat --format='%a' "${t_dir}") + t_owner=$(stat --format='%U:%G' "${t_dir}") + + [ ${t_permission} != '700' ] && has_default_permissions=0 + [ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 + fi + + t_permission= + t_owner= + t_dir="${EPREFIX}${NGINX_HOME_TMP}/proxy" + if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then + t_permission=$(stat --format='%a' "${t_dir}") + t_owner=$(stat --format='%U:%G' "${t_dir}") + + [ ${t_permission} != '700' ] && has_default_permissions=0 + [ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 + fi + + t_permission= + t_owner= + t_dir="${EPREFIX}${NGINX_HOME_TMP}/fastcgi" + if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then + t_permission=$(stat --format='%a' "${t_dir}") + t_owner=$(stat --format='%U:%G' "${t_dir}") + + [ ${t_permission} != '700' ] && has_default_permissions=0 + [ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 + fi + + t_permission= + t_owner= + t_dir="${EPREFIX}${NGINX_HOME_TMP}/scgi" + if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then + t_permission=$(stat --format='%a' "${t_dir}") + t_owner=$(stat --format='%U:%G' "${t_dir}") + + [ ${t_permission} != '700' ] && has_default_permissions=0 + [ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 + fi + + t_permission= + t_owner= + t_dir="${EPREFIX}${NGINX_HOME_TMP}/uwsgi" + if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then + t_permission=$(stat --format='%a' "${t_dir}") + t_owner=$(stat --format='%U:%G' "${t_dir}") + + [ ${t_permission} != '700' ] && has_default_permissions=0 + [ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 + fi + + if [ ${has_default_permissions} -ne 1 ]; then + # User's nginx permissions differs from default permissions. + ewarn "" + ewarn "Your nginx permissions differ from the default permissions/ownership" + ewarn "this ebuild would set for a fresh installation." + ewarn "" + ewarn "If you know what you are doing, e.g. you are running a custom setup" + ewarn "with custom permissions, you can ignore this warning." + ewarn "" + ewarn "If you DO NOT run a custom setup this may indicate that your setup" + ewarn "is still vulnerable to CVE-2013-0337 or the previous fix did not fixed" + ewarn "all permissions. Please read:" + ewarn "" + ewarn " - https://bugs.gentoo.org/458726" + ewarn " - https://bugs.gentoo.org/473036" + ewarn "" + ewarn "Current nginx default permissions are:" + ewarn " rwx------ (700) ${PN}:${PN} ${EPREFIX}/var/log/nginx" + ewarn " rwxr-x--- (750) ${PN}:0 ${EPREFIX}${NGINX_HOME_TMP}" + ewarn " rwx------ (700) ${PN}:0 ${EPREFIX}${NGINX_HOME_TMP}/{client,proxy,fastcgi,scgi,uwsgi}" + ewarn "" + ewarn "Again: If you know what you are doing please ignore this warning." + ewarn "Everybody else should adjust permissions/ownership using chmod/chown" + ewarn "like stated above." fi }