From ff27e416e7e39a0deb78eff6596c84dd4325924e Mon Sep 17 00:00:00 2001
From: Giancarlo Razzolini <grazzolini@archlinux.org>
Date: Fri, 10 Feb 2017 09:15:42 -0200
Subject: [PATCH] roles/*: Fix nginx log dir permissions

To correctly be safe for CVE-2016-1247, we need all nginx log dirs
to be owned by both user and group root. Also, since nginx childs
runs as http user, the directories permissions must be 0755, so the
http user can descent into it. Since the logrotate will create the
log files as http:log, the nginx childs will be able to write to the
logs, but will not be able to create files inside those dirs, fully
preventing CVE-2016-1247.
---
 roles/archweb/tasks/main.yml          | 2 +-
 roles/flyspray/tasks/main.yml         | 2 +-
 roles/mailman/tasks/main.yml          | 2 +-
 roles/nginx/tasks/main.yml            | 2 +-
 roles/patchwork/tasks/main.yml        | 2 +-
 roles/planet/tasks/main.yml           | 2 +-
 roles/public_html/tasks/main.yml      | 2 +-
 roles/security_tracker/tasks/main.yml | 2 +-
 roles/sources/tasks/main.yml          | 2 +-
 roles/syncrepo/tasks/main.yml         | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/roles/archweb/tasks/main.yml b/roles/archweb/tasks/main.yml
index 54c68badf..c2d8d832b 100644
--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -20,7 +20,7 @@
   when: archweb_site
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=root mode=0755
   when: archweb_site
 
 - name: make rsync iso dir
diff --git a/roles/flyspray/tasks/main.yml b/roles/flyspray/tasks/main.yml
index 1f3625827..bc14a90bf 100644
--- a/roles/flyspray/tasks/main.yml
+++ b/roles/flyspray/tasks/main.yml
@@ -16,7 +16,7 @@
     - reload nginx
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ flyspray_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ flyspray_domain }} state=directory owner=root group=root mode=0755
 
 - name: create setup dir with write permissions
   file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=755
diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml
index 42bebeae5..82f202772 100644
--- a/roles/mailman/tasks/main.yml
+++ b/roles/mailman/tasks/main.yml
@@ -8,7 +8,7 @@
     - nginx
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ mailman_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ mailman_domain }} state=directory owner=root group=root mode=0755
   when: archweb_site
   tags:
     - nginx
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 3eba39996..57c6cb1b5 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -29,7 +29,7 @@
   file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755
 
 - name: create default nginx log directory
-  file: state=directory path=/var/log/nginx/default owner=root group=log mode=0750
+  file: state=directory path=/var/log/nginx/default owner=root group=root mode=0755
 
 - name: create unique DH group
   command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem
diff --git a/roles/patchwork/tasks/main.yml b/roles/patchwork/tasks/main.yml
index df242f9f0..bd30d908c 100644
--- a/roles/patchwork/tasks/main.yml
+++ b/roles/patchwork/tasks/main.yml
@@ -11,7 +11,7 @@
     - reload nginx
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ patchwork_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ patchwork_domain }} state=directory owner=root group=root mode=0755
 
 - name: deploy maintenance page
   template: src=503.html.j2 dest="{{ patchwork_dir }}/503.html" owner=patchwork group=patchwork mode=644
diff --git a/roles/planet/tasks/main.yml b/roles/planet/tasks/main.yml
index d4501341e..645d8f838 100644
--- a/roles/planet/tasks/main.yml
+++ b/roles/planet/tasks/main.yml
@@ -9,7 +9,7 @@
     - reload nginx
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=root group=log mode=0750
+  file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=root group=root mode=0755
 
 - name: clone planet git repo
   git: dest={{ planet_dir }} repo=https://git.archlinux.org/vhosts/planet.archlinux.org.git
diff --git a/roles/public_html/tasks/main.yml b/roles/public_html/tasks/main.yml
index 4ae4c2d2f..1fd59b034 100644
--- a/roles/public_html/tasks/main.yml
+++ b/roles/public_html/tasks/main.yml
@@ -22,7 +22,7 @@
     - generate-public_html.service
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=root mode=0755
 
 - name: set up nginx
   template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/public_html.conf owner=root group=root mode=0644
diff --git a/roles/security_tracker/tasks/main.yml b/roles/security_tracker/tasks/main.yml
index 3491dffb7..9dfa24309 100644
--- a/roles/security_tracker/tasks/main.yml
+++ b/roles/security_tracker/tasks/main.yml
@@ -43,7 +43,7 @@
     - reload nginx
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=root mode=0755
 
 - name: copy security-tracker units
   copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
diff --git a/roles/sources/tasks/main.yml b/roles/sources/tasks/main.yml
index b41436c64..5a5163067 100644
--- a/roles/sources/tasks/main.yml
+++ b/roles/sources/tasks/main.yml
@@ -6,7 +6,7 @@
     - reload nginx
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=root group=log mode=0750
+  file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=root group=root mode=0755
 
 - name: make sources dir
   file: path={{ sources_dir }} state=directory owner=root group=root mode=0755
diff --git a/roles/syncrepo/tasks/main.yml b/roles/syncrepo/tasks/main.yml
index 445c160d8..2c900ed49 100644
--- a/roles/syncrepo/tasks/main.yml
+++ b/roles/syncrepo/tasks/main.yml
@@ -42,7 +42,7 @@
     create: true
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=log mode=750
+  file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=root mode=0755
 
 - name: set up nginx
   template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/syncrepo.conf owner=root group=root mode=0644
-- 
GitLab