Fix permissions of nginx log dirs, CVE-2016-1247

CVE-2016-1247 is a symlink attack on the log dir of nginx since a
reopening of the logs (triggered by logrotate) opens the logs as nginx
instead of root. logrotate creates the proper log files already so
nginx doesn't need write permissions to those directories.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

roles/archweb/tasks/main.yml

@@ -20,7 +20,7 @@
   when: archweb_site
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=http group=log mode=755
+  file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=log mode=750
   when: archweb_site
 
 - name: make rsync iso dir

roles/nginx/tasks/main.yml

@@ -29,7 +29,7 @@
   file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755
 
 - name: create default nginx log directory
-  file: state=directory path=/var/log/nginx/default owner=http group=log mode=0750
+  file: state=directory path=/var/log/nginx/default owner=root group=log mode=0750
 
 - name: create unique DH group
   command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem

roles/planet/tasks/main.yml

@@ -9,7 +9,7 @@
     - reload nginx
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=http group=log mode=0755
+  file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=root group=log mode=0750
 
 - name: clone planet git repo
   git: dest={{ planet_dir }} repo=https://git.archlinux.org/vhosts/planet.archlinux.org.git

roles/public_html/tasks/main.yml

@@ -22,7 +22,7 @@
     - generate-public_html.service
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ public_domain }} state=directory owner=http group=log mode=755
+  file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=log mode=750
 
 - name: set up nginx
   template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/public_html.conf owner=root group=root mode=0644

roles/security_tracker/tasks/main.yml

@@ -43,7 +43,7 @@
     - reload nginx
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=http group=log mode=755
+  file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=log mode=750
 
 - name: copy security-tracker units
   copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644

roles/sources/tasks/main.yml

@@ -6,7 +6,7 @@
     - reload nginx
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=http group=log mode=0755
+  file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=root group=log mode=0750
 
 - name: make sources dir
   file: path={{ sources_dir }} state=directory owner=root group=root mode=0755

roles/syncrepo/tasks/main.yml

@@ -42,7 +42,7 @@
     create: true
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=http group=log mode=755
+  file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=log mode=750
 
 - name: set up nginx
   template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/syncrepo.conf owner=root group=root mode=0644