Verified Commit 57d62ca8 authored by Florian Pritz's avatar Florian Pritz
Browse files

Fix permissions of nginx log dirs, CVE-2016-1247



CVE-2016-1247 is a symlink attack on the log dir of nginx since a
reopening of the logs (triggered by logrotate) opens the logs as nginx
instead of root. logrotate creates the proper log files already so
nginx doesn't need write permissions to those directories.

Signed-off-by: Florian Pritz's avatarFlorian Pritz <bluewind@xinu.at>
parent 83fff464
...@@ -20,7 +20,7 @@ ...@@ -20,7 +20,7 @@
when: archweb_site when: archweb_site
- name: make nginx log dir - name: make nginx log dir
file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=http group=log mode=755 file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=log mode=750
when: archweb_site when: archweb_site
- name: make rsync iso dir - name: make rsync iso dir
......
...@@ -29,7 +29,7 @@ ...@@ -29,7 +29,7 @@
file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755 file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755
- name: create default nginx log directory - name: create default nginx log directory
file: state=directory path=/var/log/nginx/default owner=http group=log mode=0750 file: state=directory path=/var/log/nginx/default owner=root group=log mode=0750
- name: create unique DH group - name: create unique DH group
command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem
......
...@@ -9,7 +9,7 @@ ...@@ -9,7 +9,7 @@
- reload nginx - reload nginx
- name: make nginx log dir - name: make nginx log dir
file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=http group=log mode=0755 file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=root group=log mode=0750
- name: clone planet git repo - name: clone planet git repo
git: dest={{ planet_dir }} repo=https://git.archlinux.org/vhosts/planet.archlinux.org.git git: dest={{ planet_dir }} repo=https://git.archlinux.org/vhosts/planet.archlinux.org.git
......
...@@ -22,7 +22,7 @@ ...@@ -22,7 +22,7 @@
- generate-public_html.service - generate-public_html.service
- name: make nginx log dir - name: make nginx log dir
file: path=/var/log/nginx/{{ public_domain }} state=directory owner=http group=log mode=755 file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=log mode=750
- name: set up nginx - name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/public_html.conf owner=root group=root mode=0644 template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/public_html.conf owner=root group=root mode=0644
......
...@@ -43,7 +43,7 @@ ...@@ -43,7 +43,7 @@
- reload nginx - reload nginx
- name: make nginx log dir - name: make nginx log dir
file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=http group=log mode=755 file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=log mode=750
- name: copy security-tracker units - name: copy security-tracker units
copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644 copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
......
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
- reload nginx - reload nginx
- name: make nginx log dir - name: make nginx log dir
file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=http group=log mode=0755 file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=root group=log mode=0750
- name: make sources dir - name: make sources dir
file: path={{ sources_dir }} state=directory owner=root group=root mode=0755 file: path={{ sources_dir }} state=directory owner=root group=root mode=0755
......
...@@ -42,7 +42,7 @@ ...@@ -42,7 +42,7 @@
create: true create: true
- name: make nginx log dir - name: make nginx log dir
file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=http group=log mode=755 file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=log mode=750
- name: set up nginx - name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/syncrepo.conf owner=root group=root mode=0644 template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/syncrepo.conf owner=root group=root mode=0644
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment