As reported by me in oss-security, the nginx logdir and its content are world readable: drwxr-xr-x 2 root root 4096 Jan 10 00:11 . drwxr-xr-x 16 root root 4096 Feb 21 17:46 .. -rw-r--r-- 1 root root 69415 Feb 21 17:46 error_log -rw-r--r-- 1 root root 93017 Feb 18 22:03 localhost.access_log -rw-r--r-- 1 root root 86227 Feb 18 22:03 localhost.error_log
i agree with Maxim Dounin from the nginx team [1]: > We are fine with default permissions used for log files. > If in a particular configuration stricter permissions are > required, this may be done either by creating appropriate > log files with needed permissions, or by restricting access > to a directory with log files. so i won't fix it with a custom patch either. [1] http://www.openwall.com/lists/oss-security/2013/02/24/1
The problem here are not the permissions on the log files but that nginx resets the permissions on it's log directory which it really shouldn't. Even if we are going to restrict /var/log/nginx by default to 0750 nginx resets it to 0755 after a start.
*argh* cancel that, had an old init.d-script. With a current nginx, we explicitly set the log directory to 0750 which I'd say is sufficient for this.
actually, since #446734 we don't touch the logdir at all if it exists. otherwise it will be created with 0755 (not 0750!)
(In reply to comment #4) > actually, since #446734 we don't touch the logdir at all if it exists. > otherwise it will be created with 0755 (not 0750!) Why don't we default to 0750? And why do we still overwrite /var/tmp/nginx? And why with 0755 instead of 0750?
i don't know and honestly i don't care ... if you feel like changing it, please do so
I'd like to wait a bit and stabilize
security please vote
Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201310-04 at http://security.gentoo.org/glsa/glsa-201310-04.xml by GLSA coordinator Sean Amoss (ackle).
CVE-2013-0337 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0337): The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.