Nginx does not re-open log files on SIGUSR1.

Piotr Karbowski jabberuser at
Mon Jan 3 17:05:30 MSK 2011

On 01/03/2011 02:16 PM, Gena Makhomed wrote:
> master process running as root open/write files in /var/log/nginx
> - if nginx user have write permissions to this directory,
> 700 nginx:nginx - such setup is vulnerable by symlink attack
> better approach set permissions 750 root:nginx /var/log/nginx
> or 750 root:www-logs /var/log/nginx and add user nginx to group www-logs

Now when you mention it, if nginx worker have read perms there (as you 
suggested above), then if user symlink to any log, he will be able fetch 
it via nginx which is security hole.

> nginx workers also write to log files.

In what cases? And direct or somehow 'via master proicess'?

On 01/03/2011 01:54 PM, Piotr Sikora wrote:
 > You need at least 711, otherwise workers won't be able to open
 > files in that directory.

So nginx' workers need exec permission on logdir? Exec on dir will allow 
only chdir there, why worker have to chdir there?

The only problem is that after SIGUSR1 nginx worker *need* access to 
logs (shouldn't), where on restart/reload nginx can handle it without 
access to logs by workers, which as I said above, is [in my opinion] 
security hole.

-- Piotr

More information about the nginx mailing list