Skip to content
  • Giancarlo Razzolini's avatar
    roles/*: Fix nginx log dir permissions · ff27e416
    Giancarlo Razzolini authored
    To correctly be safe for CVE-2016-1247, we need all nginx log dirs
    to be owned by both user and group root. Also, since nginx childs
    runs as http user, the directories permissions must be 0755, so the
    http user can descent into it. Since the logrotate will create the
    log files as http:log, the nginx childs will be able to write to the
    logs, but will not be able to create files inside those dirs, fully
    preventing CVE-2016-1247.