Nginx does not re-open log files on SIGUSR1.
Piotr Karbowski
jabberuser at gmail.com
Mon Jan 3 17:05:30 MSK 2011
On 01/03/2011 02:16 PM, Gena Makhomed wrote:
> master process running as root open/write files in /var/log/nginx
> - if nginx user have write permissions to this directory,
> 700 nginx:nginx - such setup is vulnerable by symlink attack
> better approach set permissions 750 root:nginx /var/log/nginx
>
> or 750 root:www-logs /var/log/nginx and add user nginx to group www-logs
Now when you mention it, if nginx worker have read perms there (as you
suggested above), then if user symlink to any log, he will be able fetch
it via nginx which is security hole.
> nginx workers also write to log files.
In what cases? And direct or somehow 'via master proicess'?
On 01/03/2011 01:54 PM, Piotr Sikora wrote:
> You need at least 711, otherwise workers won't be able to open
> files in that directory.
So nginx' workers need exec permission on logdir? Exec on dir will allow
only chdir there, why worker have to chdir there?
The only problem is that after SIGUSR1 nginx worker *need* access to
logs (shouldn't), where on restart/reload nginx can handle it without
access to logs by workers, which as I said above, is [in my opinion]
security hole.
-- Piotr
More information about the nginx
mailing list