Package: nginx-common Version: 1.6.2-5+deb8u1 Severity: normal Dear Maintainer,
After using aa-logprof to generate a profile for nginx, it seems that it requests the dac_override capability because logs are located in a folder which is not accessible by root thereby causing an access denied in the logs and preventing the server to start. I searched bug reports and found the security issue #701112 (CVE-2013-0337) to be what caused the problem in the first place. It seems that the bug was about the log files being "world readable", however, now that the log folder is owned by www-data, it means that the web server process now has full control over the log folder. I noted that message #44 says that log parsers need www-data on the log folder to work, however, apache2 package has no issue with its folder and log files being root:adm/0750. To fix the issue, used chown -R root:adm /var/log/nginx and replaced www-data:adm to root:adm in logrotate.d. I can now use an AA profile without dac_override being set. -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages nginx-common depends on: ii init-system-helpers 1.22 ii lsb-base 4.1+Debian13+nmu1 nginx-common recommends no packages. Versions of packages nginx-common suggests: pn fcgiwrap <none> pn nginx-doc <none> pn ssl-cert <none> -- Configuration Files: /etc/logrotate.d/nginx changed [not included] -- no debconf information