Package: nginx
Version: 1.18.0-6
Severity: minor
Tags: patch
X-Debbugs-Cc: sam...@bizien.info
Dear maintainers,
By default, log files for nginx (acces.log and error.log) are owned by
www-data:adm with mode 640.
They should be owned by root, as nginx open these files before dropping
privileges. I tried to
confine nginx with systemd options in
/etc/systemd/system/nginx.service.d/hardening.conf :
> [Service]
> CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
When doing that, nginx fails to start :
> janv. 24 21:28:38 sid nginx[1157]: nginx: [alert] could not open error log
> file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
> janv. 24 21:28:38 sid nginx[1157]: 2021/01/24 21:28:38 [emerg] 1157#1157:
> open() "/var/log/nginx/access.log" failed (13: Permission denied)
> janv. 24 21:28:38 sid nginx[1157]: nginx: configuration file
> /etc/nginx/nginx.conf test failed
> janv. 24 21:28:38 sid systemd[1]: nginx.service: Control process exited,
> code=exited, status=1/FAILURE
To make it work, I have either to chown /var/log/nginx/{error,access}.log to
root, or to add
CAP_DAC_OVERRIDE to CapabilityBoundingSet (which I'd rather avoid, that's the
point of "confinement")
Root-owned nginx log files :
- works as expected (hits & errors show up)
- makes your system more secure (logs are not readable by nginx workers anymore)
I tried to write a patch (attached), but it does not work as expected.
Best regards,
Samuel Bizien Filippi.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-2-amd64 (SMP w/1 CPU thread)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages nginx depends on:
ii nginx-core 1.18.0-6+b1
nginx recommends no packages.
nginx suggests no packages.
-- no debconf information
Index: nginx-1.18.0/debian/nginx-common/DEBIAN/postinst
===================================================================
--- nginx-1.18.0.orig/debian/nginx-common/DEBIAN/postinst
+++ nginx-1.18.0/debian/nginx-common/DEBIAN/postinst
@@ -21,13 +21,13 @@ case "$1" in
if [ ! -e "$access_log" ]; then
touch "$access_log"
chmod 640 "$access_log"
- chown www-data:adm "$access_log"
+ chown root:adm "$access_log"
fi
if [ ! -e "$error_log" ]; then
touch "$error_log"
chmod 640 "$error_log"
- chown www-data:adm "$error_log"
+ chown root:adm "$error_log"
fi
fi
Index: nginx-1.18.0/debian/nginx-common/usr/share/doc/nginx-common/README.Debian
===================================================================
---
nginx-1.18.0.orig/debian/nginx-common/usr/share/doc/nginx-common/README.Debian
+++ nginx-1.18.0/debian/nginx-common/usr/share/doc/nginx-common/README.Debian
@@ -7,7 +7,7 @@ Noteworthy Changes Wheezy => Jessie
* /var/log/nginx permissions
- /var/log/nginx/ is now not readable by default (www-data:adm 750),
+ /var/log/nginx/* is now not readable by default (root:adm 640),
If you depend on that you can add a manual override with dpkg-statoverride.
* New upgrade & rotate initscript commands
