Bad permissions in /var/log/nginx after logs are rotated

Igor Sysoev igor at sysoev.ru
Tue Feb 23 13:44:31 MSK 2010 

On Tue, Feb 23, 2010 at 07:13:16AM -0300, Juan Fco. Giordana wrote:

> Hello,
> 
> I'm using daemontools to run nginx [1] and I'm experiencing the 
> following problem when I send the USR1 signal to rotate the logs with 
> another script [2]:
> 
> The problem is that after sending the USR1 signal to nginx, the logs 
> owner becomes 'nginx' instead of 'root', which is a potential security 
> breach.
> 
> ~ # ls -la /var/log/nginx
> total 627
> drwxr-xr-x  2 root root   1088 Feb 23 04:29 .
> drwxr-xr-x 15 root root   1088 Feb 22 01:27 ..
> -rw-r--r--  1 root root      0 Feb 23 04:25 access_log
> -rw-r--r--  1 root root      0 Feb 23 04:25 error_log
> -rw-r--r--  1 root root  19164 Feb 23 04:29 site1.com-access_log
> -rw-r--r--  1 root root      0 Feb 23 04:25 site1.com-error_log
> -rw-r--r--  1 root root      0 Feb 23 04:25 site1.com-ssl_access_log
> -rw-r--r--  1 root root      0 Feb 23 04:25 site1.com-ssl_error_log
> 
> ~ # nginx-rotate.sh [2]
> 
> ~ # ls -la /var/log/nginx
> total 11
> drwxr-xr-x  3 root  root 1112 Feb 23 04:29 .
> drwxr-xr-x 15 root  root 1088 Feb 22 01:27 ..
> drwxr-xr-x  2 root  root 1088 Feb 23 04:29 old
> -rw-r--r--  1 nginx root    0 Feb 23 04:29 access_log
> -rw-r--r--  1 nginx root    0 Feb 23 04:29 error_log
> -rw-r--r--  1 nginx root  123 Feb 23 04:29 site1.com-access_log
> -rw-r--r--  1 nginx root    0 Feb 23 04:29 site1.com-error_log
> -rw-r--r--  1 nginx root    0 Feb 23 04:29 site1.com-ssl_access_log
> -rw-r--r--  1 nginx root    0 Feb 23 04:29 site1.com-ssl_error_log
> 
> If instead of this if I restart [3] the nginx process or send the HUP 
> signal [4] then the log files permissions remains correct (owned by root).
> 
> I'm not sure if this is a bug or a known issue but I appreciate any 
> clarifications.

This is by design: workers are not restarted on USR1 signal, therefore
master sets file onwer so workers are able to open the new logs files.
I do not consdier this as a potential security breach, since workers
anyway write to these files.


-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list