New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
if folder is not owned by www-data, nginx cannot write to it, as its … #1280
Conversation
…childs is the ones who log.
Hi @KlavsKlavsen, thanks for the PR. Can you add an acceptance test that verifies that this is now working (and was a bug before)? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then we need to look at a better fix because this was a CVE. d47ab8b introduced this to mitigate DSA-3701 / CVE-2016-1247 and should match the default setup on Debian.
Then I would have to start up nginx, setup a vhost - and curl to that.. and then check its error log to see if it logs it cannot log to accesslog ? I haven't looked at the current tests.. I hope there is already examples of doing that ? |
@KlavsKlavsen I think you just need to change the value of the following line: puppet-nginx/spec/classes/nginx_spec.rb Line 363 in 705c19b
|
@KlavsKlavsen could you describe where you see this fail on your systems? This should match the OS defaults |
Its on Ubuntu 16.04. I tried installing nginx on a vanilla Ubuntu and can verify the perms nginx module has IS the OS defaults.. Which IS a bug.. If you read the nginx docs its pretty clear:
And puppet nginx module uses same "user" as default - ie. worker runs as www-data. |
I still think that this at least needs an acceptance test to verify it was broken before and is fixed now. |
On my Debian 9 box this is not a problem. Nginx still has one master process as root and that allows it to log. Because this was a CVE I'm very hesitant to change this. Are you using OS packages or nginx provided packages? |
Using OS (Ubuntu) packages for nginx. |
@ekohl If you read the docs I linked to -it clearly states that the logfiles MUST be writeable by the user the worker process nginx uses.. It does NOT help that there is a root process listening on port 80. |
Thank you @dhoppe - that has now been changed to reflect the change to www-data. |
@bastelfreak, @ekohl Do you have any objections or can we merge this pull request? |
I wasn't able to verify this issue on my Ubuntu 16.04 box. |
Given this was introduced to close a CVE where Ubuntu was explicitly mentioned, I'm still strongly against merging this. We're following the OS defaults and I'd take it up with the OS maintainers if there's a problem with this. https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html describes how this can lead to a root privilege escalation which I take very seriously. |
I agree with @ekohl here. |
Hi, |
…childs is the ones who log.
Pull Request (PR) description
This Pull Request (PR) fixes the following issues