[arch-commits] Commit in nginx-mainline/trunk (PKGBUILD nginx.install)

Levente Polyak anthraxx at archlinux.org
Fri Feb 10 11:49:14 UTC 2017


    Date: Friday, February 10, 2017 @ 11:49:13
  Author: anthraxx
Revision: 288542

upgpkg: nginx-mainline 1.11.9-2 (logrotate regression)

To correctly be safe for CVE-2016-1247, we need all nginx log dirs
to be owned by both user and group root. Also, since nginx childs
runs as http user, the directories permissions must be 0755, so the
http user can descent into it. Since the logrotate will create the
log files as http:log, the nginx childs will be able to write to the
logs, but will not be able to create files inside those dirs, fully
preventing CVE-2016-1247.

Modified:
  nginx-mainline/trunk/PKGBUILD
  nginx-mainline/trunk/nginx.install

---------------+
 PKGBUILD      |    4 ++--
 nginx.install |    7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-02-10 11:39:41 UTC (rev 288541)
+++ PKGBUILD	2017-02-10 11:49:13 UTC (rev 288542)
@@ -5,7 +5,7 @@
 
 pkgname=nginx-mainline
 pkgver=1.11.9
-pkgrel=1
+pkgrel=2
 pkgdesc='Lightweight HTTP server and IMAP/POP3 proxy server, mainline release'
 arch=('i686' 'x86_64')
 url='https://nginx.org'
@@ -103,7 +103,7 @@
   install -d "$pkgdir"/var/lib/nginx
   install -dm700 "$pkgdir"/var/lib/nginx/proxy
 
-  chmod 750 "$pkgdir"/var/log/nginx
+  chmod 755 "$pkgdir"/var/log/nginx
   chown root:root "$pkgdir"/var/log/nginx
 
   install -d "$pkgdir"/usr/share/nginx

Modified: nginx.install
===================================================================
--- nginx.install	2017-02-10 11:39:41 UTC (rev 288541)
+++ nginx.install	2017-02-10 11:49:13 UTC (rev 288542)
@@ -2,4 +2,11 @@
   if (( $(vercmp $2 1.11.8-2) < 0)); then
     chown root:root var/log/nginx
   fi
+
+  if (( $(vercmp $2 1.11.9-2) < 0 )); then
+    chmod 755 var/log/nginx
+    echo ':: Security notice:'
+    echo '     - When additional log directories are used in /var/log/nginx make sure they'
+    echo '       are owned by root:root and have 755 set as permission to mitigate CVE-2016-1247'
+  fi
 }



More information about the arch-commits mailing list