Welcome! Log In Create A New Profile

Re: Nginx does not re-open log files on SIGUSR1.

Forum List Message List New Topic Print View

Piotr Karbowski

January 03, 2011 09:08AM

On 01/03/2011 02:16 PM, Gena Makhomed wrote:
> master process running as root open/write files in /var/log/nginx
> - if nginx user have write permissions to this directory,
> 700 nginx:nginx - such setup is vulnerable by symlink attack
> better approach set permissions 750 root:nginx /var/log/nginx
>
> or 750 root:www-logs /var/log/nginx and add user nginx to group www-logs

Now when you mention it, if nginx worker have read perms there (as you
suggested above), then if user symlink to any log, he will be able fetch
it via nginx which is security hole.

> nginx workers also write to log files.

In what cases? And direct or somehow 'via master proicess'?

On 01/03/2011 01:54 PM, Piotr Sikora wrote:
> You need at least 711, otherwise workers won't be able to open
> files in that directory.

So nginx' workers need exec permission on logdir? Exec on dir will allow
only chdir there, why worker have to chdir there?

The only problem is that after SIGUSR1 nginx worker *need* access to
logs (shouldn't), where on restart/reload nginx can handle it without
access to logs by workers, which as I said above, is [in my opinion]
security hole.

-- Piotr

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Nginx does not re-open log files on SIGUSR1.	Piotr Karbowski	January 03, 2011 05:50AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Sikora	January 03, 2011 06:42AM
Re: Nginx does not re-open log files on SIGUSR1.	Gena Makhomed	January 03, 2011 07:04AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Sikora	January 03, 2011 07:22AM
Re: Nginx does not re-open log files on SIGUSR1.	Gena Makhomed	January 03, 2011 08:02AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Sikora	January 03, 2011 08:14AM
Re: Nginx does not re-open log files on SIGUSR1.	John Feuerstein	January 03, 2011 09:00AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Sikora	January 03, 2011 09:18AM
Re: Nginx does not re-open log files on SIGUSR1.	John Feuerstein	January 03, 2011 10:24AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Sikora	January 03, 2011 10:38AM
Re: Nginx does not re-open log files on SIGUSR1.	Gena Makhomed	January 03, 2011 11:24AM
Re: Nginx does not re-open log files on SIGUSR1.	Gena Makhomed	January 03, 2011 11:06AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Karbowski	January 03, 2011 07:52AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Sikora	January 03, 2011 07:56AM
Re: Nginx does not re-open log files on SIGUSR1.	Gena Makhomed	January 03, 2011 08:20AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Karbowski	January 03, 2011 09:08AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Sikora	January 03, 2011 09:12AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Karbowski	January 03, 2011 09:20AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Sikora	January 03, 2011 09:28AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Karbowski	January 03, 2011 09:46AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Sikora	January 03, 2011 10:50AM
Re: Nginx does not re-open log files on SIGUSR1.	Gena Makhomed	January 03, 2011 10:52AM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Sikora	January 03, 2011 12:08PM
Re: Nginx does not re-open log files on SIGUSR1.	Gena Makhomed	January 03, 2011 12:46PM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Sikora	January 03, 2011 01:10PM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Karbowski	January 03, 2011 03:40PM
Re: Nginx does not re-open log files on SIGUSR1.	Piotr Sikora	January 04, 2011 04:22AM
Re: Nginx does not re-open log files on SIGUSR1.	Gena Makhomed	January 03, 2011 12:46PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 307

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018