Verified Commit ff27e416 authored by Giancarlo Razzolini's avatar Giancarlo Razzolini
Browse files

roles/*: Fix nginx log dir permissions

To correctly be safe for CVE-2016-1247, we need all nginx log dirs
to be owned by both user and group root. Also, since nginx childs
runs as http user, the directories permissions must be 0755, so the
http user can descent into it. Since the logrotate will create the
log files as http:log, the nginx childs will be able to write to the
logs, but will not be able to create files inside those dirs, fully
preventing CVE-2016-1247.
parent 2c353e4e
......@@ -20,7 +20,7 @@
when: archweb_site
- name: make nginx log dir
file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=log mode=750
file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=root mode=0755
when: archweb_site
- name: make rsync iso dir
......
......@@ -16,7 +16,7 @@
- reload nginx
- name: make nginx log dir
file: path=/var/log/nginx/{{ flyspray_domain }} state=directory owner=root group=log mode=750
file: path=/var/log/nginx/{{ flyspray_domain }} state=directory owner=root group=root mode=0755
- name: create setup dir with write permissions
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=755
......
......@@ -8,7 +8,7 @@
- nginx
- name: make nginx log dir
file: path=/var/log/nginx/{{ mailman_domain }} state=directory owner=root group=log mode=750
file: path=/var/log/nginx/{{ mailman_domain }} state=directory owner=root group=root mode=0755
when: archweb_site
tags:
- nginx
......
......@@ -29,7 +29,7 @@
file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755
- name: create default nginx log directory
file: state=directory path=/var/log/nginx/default owner=root group=log mode=0750
file: state=directory path=/var/log/nginx/default owner=root group=root mode=0755
- name: create unique DH group
command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem
......
......@@ -11,7 +11,7 @@
- reload nginx
- name: make nginx log dir
file: path=/var/log/nginx/{{ patchwork_domain }} state=directory owner=root group=log mode=750
file: path=/var/log/nginx/{{ patchwork_domain }} state=directory owner=root group=root mode=0755
- name: deploy maintenance page
template: src=503.html.j2 dest="{{ patchwork_dir }}/503.html" owner=patchwork group=patchwork mode=644
......@@ -9,7 +9,7 @@
- reload nginx
- name: make nginx log dir
file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=root group=log mode=0750
file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=root group=root mode=0755
- name: clone planet git repo
git: dest={{ planet_dir }} repo=https://git.archlinux.org/vhosts/planet.archlinux.org.git
......
......@@ -22,7 +22,7 @@
- generate-public_html.service
- name: make nginx log dir
file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=log mode=750
file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/public_html.conf owner=root group=root mode=0644
......
......@@ -43,7 +43,7 @@
- reload nginx
- name: make nginx log dir
file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=log mode=750
file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=root mode=0755
- name: copy security-tracker units
copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
......
......@@ -6,7 +6,7 @@
- reload nginx
- name: make nginx log dir
file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=root group=log mode=0750
file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=root group=root mode=0755
- name: make sources dir
file: path={{ sources_dir }} state=directory owner=root group=root mode=0755
......
......@@ -42,7 +42,7 @@
create: true
- name: make nginx log dir
file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=log mode=750
file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=root mode=0755
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/syncrepo.conf owner=root group=root mode=0644
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment