Welcome! Log In Create A New Profile

Re: /var/log/nginx

Forum List Message List New Topic Print View

Gena Makhomed

January 06, 2011 05:40AM

On 19.12.2010 23:02, Maxim Dounin wrote:

>>>>>>> А почему параноики ставят минимальные права, с которыми вообще
>>>>>>> способна работать программа, на всё, до чего дотянутся - для меня
>>>>>>> загадка. Видимо, потому что параноики.

и еще, как быть с тем, что по умолчанию nginx создает лог-файлы
доступные на чтение worker-процессам nginx ? и если на сервере
mass virtual hosting и пользователи имеют доступ к своим каталогам
по ssh, то они могут создать симлинк на /var/log/nginx/error.log
и таким образом получить через http содержимое системного файла
error.log и вообще access.log любого из сайтов расположенных
на сервере. может быть лучше сделать так, чтобы лог-файлы
nginx были доступны worker-процессам nginx только на запись?
это ведь никому не будет мешать и не создаст неудобств... ?

тем более, что сам nginx всегда эти лог-файлы открывает
только для append, и никогда не открывает их на чтение.

патчи в аттаче.

P.S. «Выживают только параноики» Эндрю Гроув

--
Best regards,
Gena
--- src/core/ngx_cycle.c.orig 2011-01-03 18:41:26.000000000 +0200
+++ src/core/ngx_cycle.c 2011-01-03 18:46:47.000000000 +0200
@@ -1201,9 +1201,9 @@
}
}

- if ((fi.st_mode & (S_IRUSR|S_IWUSR)) != (S_IRUSR|S_IWUSR)) {
+ if ((fi.st_mode & S_IRWXU) != S_IWUSR) {

- fi.st_mode |= (S_IRUSR|S_IWUSR);
+ fi.st_mode = (fi.st_mode & ~S_IRWXU) | S_IWUSR;

if (chmod((const char *) file[i].name.data, fi.st_mode) == -1) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
--- src/core/ngx_cycle.c.orig 2011-01-03 19:24:20.000000000 +0200
+++ src/core/ngx_cycle.c 2011-01-03 19:27:50.000000000 +0200
@@ -1187,11 +1187,13 @@
}
}

- if (fi.st_uid != user) {
- if (chown((const char *) file[i].name.data, user, -1) == -1) {
+ if ((fi.st_mode & S_IRWXU) != S_IWUSR) {
+
+ fi.st_mode = (fi.st_mode & ~S_IRWXU) | S_IWUSR;
+
+ if (chmod((const char *) file[i].name.data, fi.st_mode) == -1) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "chown(\"%s\", %d) failed",
- file[i].name.data, user);
+ "chmod() \"%s\" failed", file[i].name.data);

if (ngx_close_file(fd) == NGX_FILE_ERROR) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
@@ -1201,13 +1203,11 @@
}
}

- if ((fi.st_mode & S_IRWXU) != S_IWUSR) {
-
- fi.st_mode = (fi.st_mode & ~S_IRWXU) | S_IWUSR;
-
- if (chmod((const char *) file[i].name.data, fi.st_mode) == -1) {
+ if (fi.st_uid != user) {
+ if (chown((const char *) file[i].name.data, user, -1) == -1) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "chmod() \"%s\" failed", file[i].name.data);
+ "chown(\"%s\", %d) failed",
+ file[i].name.data, user);

if (ngx_close_file(fd) == NGX_FILE_ERROR) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://nginx.org/mailman/listinfo/nginx-ru

Reply Quote

RSS

Subject	Author	Posted
/var/log/nginx	Gena Makhomed	December 14, 2010 01:06PM
Re: /var/log/nginx	Gena Makhomed	December 14, 2010 01:22PM
Re: /var/log/nginx	Maxim Dounin	December 14, 2010 01:52PM
Re: /var/log/nginx	Gena Makhomed	December 14, 2010 03:00PM
Re: /var/log/nginx	Igor Sysoev	December 14, 2010 04:46PM
Re: /var/log/nginx	Gena Makhomed	December 15, 2010 02:00PM
Re: /var/log/nginx	Maxim Dounin	December 14, 2010 07:38PM
Re: /var/log/nginx	Gena Makhomed	December 15, 2010 02:38PM
Re: /var/log/nginx	Alexey V. Karagodov	December 15, 2010 02:52PM
Re: /var/log/nginx	Gena Makhomed	December 15, 2010 03:32PM
Re: /var/log/nginx	Rauf Kuliyev	December 15, 2010 04:42PM
Re: /var/log/nginx	Alexey V. Karagodov	December 15, 2010 04:44PM
Re: /var/log/nginx	Maxim Dounin	December 15, 2010 05:24PM
Re: /var/log/nginx	Gena Makhomed	December 15, 2010 06:30PM
Re: /var/log/nginx	Maxim Dounin	December 15, 2010 09:06PM
Re: /var/log/nginx	Gena Makhomed	December 16, 2010 06:12AM
Re: /var/log/nginx	Alexander Kardailsky	December 16, 2010 06:22AM
Re: /var/log/nginx	Anton Farygin	December 16, 2010 07:36AM
Re: /var/log/nginx	greenh	December 16, 2010 07:42AM
Re: /var/log/nginx	Gena Makhomed	December 19, 2010 06:32AM
Re: /var/log/nginx	Maxim Dounin	December 19, 2010 04:04PM
Re: /var/log/nginx	Gena Makhomed	January 06, 2011 05:40AM
Re: /var/log/nginx	Pavel V.	January 09, 2011 03:40PM
Re: /var/log/nginx	kav	January 09, 2011 04:04PM
Re: /var/log/nginx	Alexander Engel	January 09, 2011 04:16PM
Re: /var/log/nginx	kav	January 09, 2011 04:48PM
Re: /var/log/nginx	Александр Лозовюк	January 09, 2011 04:52PM
Re: /var/log/nginx	kav	January 09, 2011 10:50PM
Re: /var/log/nginx	Gena Makhomed	December 14, 2010 03:50PM
Re: /var/log/nginx	Igor Sysoev	December 14, 2010 04:50PM
Re: /var/log/nginx	Maxim Dounin	December 14, 2010 08:04PM
Re: /var/log/nginx	Maxim Dounin	December 14, 2010 08:02PM
Re: /var/log/nginx	Peter Vereshagin	January 14, 2011 10:04AM
Re: /var/log/nginx	Pavel V.	January 14, 2011 01:54PM
Re: /var/log/nginx	Maxim Dounin	January 14, 2011 03:02PM
Re: /var/log/nginx	Pavel V.	January 15, 2011 12:36PM
Re: /var/log/nginx	Sergej Kandyla	January 17, 2011 04:46AM
Re: /var/log/nginx	Pavel V.	January 17, 2011 11:30AM
Re: /var/log/nginx	Peter Vereshagin	January 15, 2011 08:36AM
Re: /var/log/nginx	Pavel V.	January 15, 2011 12:18PM
Re: /var/log/nginx	Gena Makhomed	January 15, 2011 12:52PM
Re: /var/log/nginx	Pavel V.	January 15, 2011 01:20PM
Re: /var/log/nginx	Peter Vereshagin	January 16, 2011 02:40AM
Re: /var/log/nginx	Pavel V.	January 16, 2011 10:54AM
Re: /var/log/nginx	Peter Vereshagin	January 17, 2011 04:58AM
Re: /var/log/nginx	Peter Vereshagin	January 18, 2011 06:48AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 160

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018