Nginx does not re-open log files on SIGUSR1.

Piotr Karbowski jabberuser at gmail.com
Mon Jan 3 17:43:04 MSK 2011


On 01/03/2011 03:25 PM, Piotr Sikora wrote:
> Hi,
>
>> Any reason to?
>
> Yes, user requires "+x" permission to the directory in order to be able
> to open any file(s) inside it. Google/Bing/whatever for "unix
> permissions", this is as simple as it gets.

This is what I mean by 'exec will allow only chdir there'. With X you 
can access dir content and depends on files rights, you can read them 
etc. Mental shortcut.

>> Nginx works for me flawless on each box with 700 root:root on
>> /var/log/nginx, the only problem I found is SIGUSR1, Whatever you
>> agree with me or not, nginx shoudn't need perms on its logs dir,
>> because it will allow users to use symlink to fetch logs.
>
> This is because:
> - on start and reload - master process opens log files before fork() and
> worker processes only inherit them,
> - on reopen - all processes need to open logs, so workers also need
> permission to open log files.

Well ok, I understand [now] why it is needed (perms that is). However 
security issue still remains which in my opinion should be addressed as 
bug and fixed, can you agree with me?

-- Piotr.



More information about the nginx mailing list