Nginx does not re-open log files on SIGUSR1.
Gena Makhomed
gmm at csdoc.com
Mon Jan 3 20:42:43 MSK 2011
On 03.01.2011 17:48, Gena Makhomed wrote:
> On 03.01.2011 16:05, Piotr Karbowski wrote:
>>> master process running as root open/write files in /var/log/nginx
>>> - if nginx user have write permissions to this directory,
>>> 700 nginx:nginx - such setup is vulnerable by symlink attack
>>> better approach set permissions 750 root:nginx /var/log/nginx
>>> or 750 root:www-logs /var/log/nginx and add user nginx to group www-logs
>> Now when you mention it, if nginx worker have read perms there (as you
>> suggested above), then if user symlink to any log, he will be able fetch
>> it via nginx which is security hole.
[...]
> if nginx log files will have permissons nginx:root 244
> in this case nginx worker processes can only write(append)
> to log files, and can't read anything from it, even via symlink -
> it this case 403 Forbidden will be returned to access via symlink.
> but nginx source need to be patched for 244 logfile permissions,
> and this is can't be done via logrotate create 0244 nginx root
> directive, because nginx master process after USR1 signal
> explicitly reset logfiles permissioons to S_IRUSR|S_IWUSR
patches:
tested with 0.8.53, 0.8.54 and 0.9.3.
nginx-logfiles-permissions-1.patch:
reset log files owner (nginx) permissions to S_IWUSR only.
nginx-logfiles-permissions-2.patch:
first change log file permissions, thereafter change owner.
--
Best regards,
Gena
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nginx-logfiles-permissions-1.patch
URL: <http://nginx.org/pipermail/nginx-devel/attachments/20110103/63f88d3d/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nginx-logfiles-permissions-2.patch
URL: <http://nginx.org/pipermail/nginx-devel/attachments/20110103/63f88d3d/attachment-0001.ksh>
More information about the nginx-devel
mailing list