Skip to content
This repository has been archived by the owner on Apr 21, 2023. It is now read-only.

Don't call chown() unless necessary. #621

merged 1 commit into from Feb 18, 2014


Copy link

@jart jart commented Feb 16, 2014

Right now it's impossible to AppArmor NGINX when this module is enabled because you've got a mandatory chown() call. Worse yet, the nginx process exits if the chown() call fails. This means that you have to add capability chown to your NGINX AppArmor config. But granting chown to the application would undermine the security of the AppArmor sandbox. Hence this patch.

Here's a screenshot of NGINX not starting due to this bug:

screen shot 2014-02-15 at 9 39 20 pm

If you're not familiar with AppArmor, this config file /etc/apparmor.d/usr.local.nginx.sbin.nginx should hopefully help you understand it better.

#include <tunables/global>

/usr/local/nginx/sbin/nginx {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/user-tmp>

  capability dac_override,
  capability setgid,
  capability setuid,
  capability mknod,

  /etc/nginx/** r,
  owner /etc/ssl/** r,
  /home/nginx/** r,
  /home/ows/ows/occupywallst/occupywallst/media/** r,
  /home/recordings/** r,
  /home/soundboards/**.mp3 r,
  /home/soundboards/**.ogg r,
  /opt/celebcall/static/** r,
  /run/ rw,
  /usr/local/nginx/conf/** r,
  /usr/local/nginx/html/** r,
  /usr/local/nginx/logs/** rw,
  owner /usr/local/nginx/proxy_temp/** rw,
  /usr/local/nginx/sbin/nginx mr,
  /var/cache/nginx/** rw,
  /var/cache/pagespeed/** rwlk,
  /var/log/pagespeed/** rw,
  /var/log/nginx/* w,
  /var/run/ rw,

Copy link

Makes sense: don't call chown if we already own it.


Could you sign our CLA?

Copy link
Contributor Author

jart commented Feb 18, 2014

I'm a Googler. Is it necessary?

Copy link

Verified that jart works for Google; merging.

jeffkaufman added a commit that referenced this pull request Feb 18, 2014
Security Fix: Don't call chown() unless necessary.
@jeffkaufman jeffkaufman merged commit bf6c6c0 into apache:master Feb 18, 2014
@jart jart deleted the dont-chown branch February 19, 2014 02:04
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

2 participants