roles/*: Fix nginx log dir permissions

To correctly be safe for CVE-2016-1247, we need all nginx log dirs to be owned by both user and group root. Also, since nginx childs runs as http user, the directories permissions must be 0755, so the http user can descent into it. Since the logrotate will create the log files as http:log, the nginx childs will be able to write to the logs, but will not be able to create files inside those dirs, fully preventing CVE-2016-1247.

roles/*: Fix nginx log dir permissions
ff27e416 · Giancarlo Razzolini · 2c353e4e · ff27e416 · ff27e416 · ff27e416
Verified Commit ff27e416 authored 8 years ago by Giancarlo Razzolini
--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -20,7 +20,7 @@
  when: archweb_site

 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=root mode=0755
  when: archweb_site

 - name: make rsync iso dir

--- a/roles/flyspray/tasks/main.yml
+++ b/roles/flyspray/tasks/main.yml
@@ -16,7 +16,7 @@
    - reload nginx

 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ flyspray_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ flyspray_domain }} state=directory owner=root group=root mode=0755

 - name: create setup dir with write permissions
  file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=755

--- a/roles/mailman/tasks/main.yml
+++ b/roles/mailman/tasks/main.yml
@@ -8,7 +8,7 @@
    - nginx

 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ mailman_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ mailman_domain }} state=directory owner=root group=root mode=0755
  when: archweb_site
  tags:
    - nginx

--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -29,7 +29,7 @@
  file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755

 - name: create default nginx log directory
-  file: state=directory path=/var/log/nginx/default owner=root group=log mode=0750
+  file: state=directory path=/var/log/nginx/default owner=root group=root mode=0755

 - name: create unique DH group
  command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem

--- a/roles/patchwork/tasks/main.yml
+++ b/roles/patchwork/tasks/main.yml
@@ -11,7 +11,7 @@
    - reload nginx

 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ patchwork_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ patchwork_domain }} state=directory owner=root group=root mode=0755

 - name: deploy maintenance page
  template: src=503.html.j2 dest="{{ patchwork_dir }}/503.html" owner=patchwork group=patchwork mode=644
--- a/roles/planet/tasks/main.yml
+++ b/roles/planet/tasks/main.yml
@@ -9,7 +9,7 @@
    - reload nginx

 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=root group=log mode=0750
+  file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=root group=root mode=0755

 - name: clone planet git repo
  git: dest={{ planet_dir }} repo=https://git.archlinux.org/vhosts/planet.archlinux.org.git

--- a/roles/public_html/tasks/main.yml
+++ b/roles/public_html/tasks/main.yml
@@ -22,7 +22,7 @@
    - generate-public_html.service

 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=root mode=0755

 - name: set up nginx
  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/public_html.conf owner=root group=root mode=0644

--- a/roles/security_tracker/tasks/main.yml
+++ b/roles/security_tracker/tasks/main.yml
@@ -43,7 +43,7 @@
    - reload nginx

 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=root mode=0755

 - name: copy security-tracker units
  copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644

--- a/roles/sources/tasks/main.yml
+++ b/roles/sources/tasks/main.yml
@@ -6,7 +6,7 @@
    - reload nginx

 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=root group=log mode=0750
+  file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=root group=root mode=0755

 - name: make sources dir
  file: path={{ sources_dir }} state=directory owner=root group=root mode=0755

--- a/roles/syncrepo/tasks/main.yml
+++ b/roles/syncrepo/tasks/main.yml
@@ -42,7 +42,7 @@
    create: true

 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=root mode=0755

 - name: set up nginx
  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/syncrepo.conf owner=root group=root mode=0644