Don't call chown() unless necessary.

[jart]

Right now it's impossible to AppArmor NGINX when this module is enabled because you've got a mandatory chown() call. Worse yet, the nginx process exits if the chown() call fails. This means that you have to add capability chown to your NGINX AppArmor config. But granting chown to the application would undermine the security of the AppArmor sandbox. Hence this patch.

Here's a screenshot of NGINX not starting due to this bug:

If you're not familiar with AppArmor, this config file /etc/apparmor.d/usr.local.nginx.sbin.nginx should hopefully help you understand it better.

#include <tunables/global>

/usr/local/nginx/sbin/nginx {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/user-tmp>

  capability dac_override,
  capability setgid,
  capability setuid,
  capability mknod,

  /etc/nginx/** r,
  owner /etc/ssl/** r,
  /home/nginx/** r,
  /home/ows/ows/occupywallst/occupywallst/media/** r,
  /home/recordings/** r,
  /home/soundboards/**.mp3 r,
  /home/soundboards/**.ogg r,
  /opt/celebcall/static/** r,
  /run/nginx.pid rw,
  /usr/local/nginx/conf/** r,
  /usr/local/nginx/html/** r,
  /usr/local/nginx/logs/** rw,
  owner /usr/local/nginx/proxy_temp/** rw,
  /usr/local/nginx/sbin/nginx mr,
  /var/cache/nginx/** rw,
  /var/cache/pagespeed/** rwlk,
  /var/log/pagespeed/** rw,
  /var/log/nginx/* w,
  /var/run/nginx.pid rw,
}

[jeffkaufman]

Makes sense: don't call chown if we already own it.

LGTM.

Could you sign our CLA? https://developers.google.com/open-source/cla/individual

[jart]

I'm a Googler. Is it necessary?

[jeffkaufman]

Verified that jart works for Google; merging.