Verified Commit 57d62ca8 authored by Florian Pritz's avatar Florian Pritz
Browse files

Fix permissions of nginx log dirs, CVE-2016-1247



CVE-2016-1247 is a symlink attack on the log dir of nginx since a
reopening of the logs (triggered by logrotate) opens the logs as nginx
instead of root. logrotate creates the proper log files already so
nginx doesn't need write permissions to those directories.

Signed-off-by: Florian Pritz's avatarFlorian Pritz <bluewind@xinu.at>
parent 83fff464
......@@ -20,7 +20,7 @@
when: archweb_site
- name: make nginx log dir
file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=http group=log mode=755
file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=log mode=750
when: archweb_site
- name: make rsync iso dir
......
......@@ -29,7 +29,7 @@
file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755
- name: create default nginx log directory
file: state=directory path=/var/log/nginx/default owner=http group=log mode=0750
file: state=directory path=/var/log/nginx/default owner=root group=log mode=0750
- name: create unique DH group
command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem
......
......@@ -9,7 +9,7 @@
- reload nginx
- name: make nginx log dir
file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=http group=log mode=0755
file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=root group=log mode=0750
- name: clone planet git repo
git: dest={{ planet_dir }} repo=https://git.archlinux.org/vhosts/planet.archlinux.org.git
......
......@@ -22,7 +22,7 @@
- generate-public_html.service
- name: make nginx log dir
file: path=/var/log/nginx/{{ public_domain }} state=directory owner=http group=log mode=755
file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=log mode=750
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/public_html.conf owner=root group=root mode=0644
......
......@@ -43,7 +43,7 @@
- reload nginx
- name: make nginx log dir
file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=http group=log mode=755
file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=log mode=750
- name: copy security-tracker units
copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
......
......@@ -6,7 +6,7 @@
- reload nginx
- name: make nginx log dir
file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=http group=log mode=0755
file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=root group=log mode=0750
- name: make sources dir
file: path={{ sources_dir }} state=directory owner=root group=root mode=0755
......
......@@ -42,7 +42,7 @@
create: true
- name: make nginx log dir
file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=http group=log mode=755
file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=log mode=750
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/syncrepo.conf owner=root group=root mode=0644
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment