Date: Friday, February 10, 2017 @ 11:49:13
Author: anthraxx
Revision: 288542
upgpkg: nginx-mainline 1.11.9-2 (logrotate regression)
To correctly be safe for CVE-2016-1247, we need all nginx log dirs
to be owned by both user and group root. Also, since nginx childs
runs as http user, the directories permissions must be 0755, so the
http user can descent into it. Since the logrotate will create the
log files as http:log, the nginx childs will be able to write to the
logs, but will not be able to create files inside those dirs, fully
preventing CVE-2016-1247.
Modified:
nginx-mainline/trunk/PKGBUILD
nginx-mainline/trunk/nginx.install
---------------+
PKGBUILD | 4 ++--
nginx.install | 7 +++++++
2 files changed, 9 insertions(+), 2 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2017-02-10 11:39:41 UTC (rev 288541)
+++ PKGBUILD 2017-02-10 11:49:13 UTC (rev 288542)
@@ -5,7 +5,7 @@
pkgname=nginx-mainline
pkgver=1.11.9
-pkgrel=1
+pkgrel=2
pkgdesc='Lightweight HTTP server and IMAP/POP3 proxy server, mainline release'
arch=('i686' 'x86_64')
url='https://nginx.org'
@@ -103,7 +103,7 @@
install -d "$pkgdir"/var/lib/nginx
install -dm700 "$pkgdir"/var/lib/nginx/proxy
- chmod 750 "$pkgdir"/var/log/nginx
+ chmod 755 "$pkgdir"/var/log/nginx
chown root:root "$pkgdir"/var/log/nginx
install -d "$pkgdir"/usr/share/nginx
Modified: nginx.install
===================================================================
--- nginx.install 2017-02-10 11:39:41 UTC (rev 288541)
+++ nginx.install 2017-02-10 11:49:13 UTC (rev 288542)
@@ -2,4 +2,11 @@
if (( $(vercmp $2 1.11.8-2) < 0)); then
chown root:root var/log/nginx
fi
+
+ if (( $(vercmp $2 1.11.9-2) < 0 )); then
+ chmod 755 var/log/nginx
+ echo ':: Security notice:'
+ echo ' - When additional log directories are used in /var/log/nginx
make sure they'
+ echo ' are owned by root:root and have 755 set as permission to
mitigate CVE-2016-1247'
+ fi
}
