Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 359510 Details for
Bug 473036
=www-servers/nginx-1.4.1-r2: default permissions of logdir stop logs after SIGUSR1
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Check permission/ownership in pkg_postinst
check-permission-and-ownership-in-postinstall.patch (text/plain), 5.29 KB, created by
Thomas Deutschmann (RETIRED)
on 2013-09-26 09:17:45 UTC
(
hide
)
Description:
Check permission/ownership in pkg_postinst
Filename:
MIME Type:
Creator:
Thomas Deutschmann (RETIRED)
Created:
2013-09-26 09:17:45 UTC
Size:
5.29 KB
patch
obsolete
>--- nginx-1.4.1-r5.ebuild.old 2013-09-25 18:28:27.000000000 +0200 >+++ nginx-1.4.1-r5.ebuild 2013-09-26 11:05:37.000000000 +0200 >@@ -194,6 +194,7 @@ > nginx_modules_http_dav_ext? ( dev-libs/expat )" > RDEPEND="${CDEPEND}" > DEPEND="${CDEPEND} >+ sys-apps/coreutils > arm? ( dev-libs/libatomic_ops ) > libatomic? ( dev-libs/libatomic_ops )" > PDEPEND="vim-syntax? ( app-vim/nginx-syntax )" >@@ -527,23 +528,112 @@ > ewarn "NGINX_MODULES_HTTP=\"lua spdy\". For more info, see http://git.io/OldLsg" > fi > >- # This is the proper fix for bug #458726/#469094, resp. CVE-2013-0337 for >- # existing installations >- local fix_perms=0 >- >- for rv in ${REPLACING_VERSIONS} ; do >- version_compare ${rv} 1.4.1-r2 >- [[ $? -eq 1 ]] && fix_perms=1 >- done >- >- if [[ $fix_perms -eq 1 ]] ; then >- ewarn "To fix a security bug (CVE-2013-0337, bug #458726) had the following" >- ewarn "directories the world-readable bit removed (if set):" >- ewarn " ${EPREFIX}/var/log/nginx" >- ewarn " ${EPREFIX}${NGINX_HOME_TMP}/{,client,proxy,fastcgi,scgi,uwsgi}" >- ewarn "Check if this is correct for your setup before restarting nginx!" >- ewarn "This is a one-time change and will not happen on subsequent updates." >- ewarn "Furthermore nginx' temp directories got moved to ${NGINX_HOME_TMP}" >- chmod o-rwx "${EPREFIX}"/var/log/nginx "${EPREFIX}/${NGINX_HOME_TMP}"/{,client,proxy,fastcgi,scgi,uwsgi} >+ # www-servers/nginx-1.4.1-r2 changed permission/ownership due to >+ # CVE-2013-0337. See bug #458726, #469094 and #473036. >+ # >+ # We need to make sure that previous installations aren't affected: >+ local has_default_permissions=1 >+ >+ local t_permission= >+ local t_owner= >+ local t_dir="${EPREFIX}/var/log/nginx" >+ if [ -d ${t_cdir} ]; then >+ t_permission=$(stat --format='%a' "${t_dir}") >+ t_owner=$(stat --format='%U:%G' "${t_dir}") >+ >+ [ ${t_permission} != '700' ] && has_default_permissions=0 >+ [ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 >+ fi >+ >+ t_permission= >+ t_owner= >+ t_dir="${EPREFIX}${NGINX_HOME_TMP}" >+ if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then >+ t_permission=$(stat --format='%a' "${t_dir}") >+ t_owner=$(stat --format='%U:%g' "${t_dir}") >+ >+ [ ${t_permission} != '750' ] && has_default_permissions=0 >+ [ ${t_owner} != "${PN}:0" ] && has_default_permissions=0 >+ fi >+ >+ t_permission= >+ t_owner= >+ t_dir="${EPREFIX}${NGINX_HOME_TMP}/client" >+ if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then >+ t_permission=$(stat --format='%a' "${t_dir}") >+ t_owner=$(stat --format='%U:%G' "${t_dir}") >+ >+ [ ${t_permission} != '700' ] && has_default_permissions=0 >+ [ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 >+ fi >+ >+ t_permission= >+ t_owner= >+ t_dir="${EPREFIX}${NGINX_HOME_TMP}/proxy" >+ if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then >+ t_permission=$(stat --format='%a' "${t_dir}") >+ t_owner=$(stat --format='%U:%G' "${t_dir}") >+ >+ [ ${t_permission} != '700' ] && has_default_permissions=0 >+ [ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 >+ fi >+ >+ t_permission= >+ t_owner= >+ t_dir="${EPREFIX}${NGINX_HOME_TMP}/fastcgi" >+ if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then >+ t_permission=$(stat --format='%a' "${t_dir}") >+ t_owner=$(stat --format='%U:%G' "${t_dir}") >+ >+ [ ${t_permission} != '700' ] && has_default_permissions=0 >+ [ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 >+ fi >+ >+ t_permission= >+ t_owner= >+ t_dir="${EPREFIX}${NGINX_HOME_TMP}/scgi" >+ if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then >+ t_permission=$(stat --format='%a' "${t_dir}") >+ t_owner=$(stat --format='%U:%G' "${t_dir}") >+ >+ [ ${t_permission} != '700' ] && has_default_permissions=0 >+ [ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 >+ fi >+ >+ t_permission= >+ t_owner= >+ t_dir="${EPREFIX}${NGINX_HOME_TMP}/uwsgi" >+ if [ ${has_default_permissions} -eq 1 -a -d ${t_dir} ]; then >+ t_permission=$(stat --format='%a' "${t_dir}") >+ t_owner=$(stat --format='%U:%G' "${t_dir}") >+ >+ [ ${t_permission} != '700' ] && has_default_permissions=0 >+ [ ${t_owner} != "${PN}:${PN}" ] && has_default_permissions=0 >+ fi >+ >+ if [ ${has_default_permissions} -ne 1 ]; then >+ # User's nginx permissions differs from default permissions. >+ ewarn "" >+ ewarn "Your nginx permissions differ from the default permissions/ownership" >+ ewarn "this ebuild would set for a fresh installation." >+ ewarn "" >+ ewarn "If you know what you are doing, e.g. you are running a custom setup" >+ ewarn "with custom permissions, you can ignore this warning." >+ ewarn "" >+ ewarn "If you DO NOT run a custom setup this may indicate that your setup" >+ ewarn "is still vulnerable to CVE-2013-0337 or the previous fix did not fixed" >+ ewarn "all permissions. Please read:" >+ ewarn "" >+ ewarn " - https://bugs.gentoo.org/458726" >+ ewarn " - https://bugs.gentoo.org/473036" >+ ewarn "" >+ ewarn "Current nginx default permissions are:" >+ ewarn " rwx------ (700) ${PN}:${PN} ${EPREFIX}/var/log/nginx" >+ ewarn " rwxr-x--- (750) ${PN}:0 ${EPREFIX}${NGINX_HOME_TMP}" >+ ewarn " rwx------ (700) ${PN}:0 ${EPREFIX}${NGINX_HOME_TMP}/{client,proxy,fastcgi,scgi,uwsgi}" >+ ewarn "" >+ ewarn "Again: If you know what you are doing please ignore this warning." >+ ewarn "Everybody else should adjust permissions/ownership using chmod/chown" >+ ewarn "like stated above." > fi > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 473036
: 359510