[Pkg-nginx-maintainers] Bug#980970: nginx: Owner for /var/log/nginx/*.log should be root and not www-data

Sun Jan 24 21:43:53 GMT 2021

Package: nginx
Version: 1.18.0-6
Severity: minor
Tags: patch
X-Debbugs-Cc: samuel at bizien.info

Dear maintainers,

By default, log files for nginx (acces.log and error.log) are owned by www-data:adm with mode 640.

They should be owned by root, as nginx open these files before dropping privileges. I tried to
confine nginx with systemd options in /etc/systemd/system/nginx.service.d/hardening.conf :

> [Service]
> CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID

When doing that, nginx fails to start :

> janv. 24 21:28:38 sid nginx[1157]: nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
> janv. 24 21:28:38 sid nginx[1157]: 2021/01/24 21:28:38 [emerg] 1157#1157: open() "/var/log/nginx/access.log" failed (13: Permission denied)
> janv. 24 21:28:38 sid nginx[1157]: nginx: configuration file /etc/nginx/nginx.conf test failed
> janv. 24 21:28:38 sid systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE

To make it work, I have either to chown /var/log/nginx/{error,access}.log to root, or to add 
CAP_DAC_OVERRIDE to CapabilityBoundingSet (which I'd rather avoid, that's the point of "confinement")

Root-owned nginx log files :
- works as expected (hits & errors show up)
- makes your system more secure (logs are not readable by nginx workers anymore)

I tried to write a patch (attached), but it does not work as expected.

Best regards,

Samuel Bizien Filippi.


-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-2-amd64 (SMP w/1 CPU thread)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nginx depends on:
ii  nginx-core  1.18.0-6+b1

nginx recommends no packages.

nginx suggests no packages.

-- no debconf information
-------------- next part --------------
Index: nginx-1.18.0/debian/nginx-common/DEBIAN/postinst
===================================================================

--- nginx-1.18.0.orig/debian/nginx-common/DEBIAN/postinst
+++ nginx-1.18.0/debian/nginx-common/DEBIAN/postinst
@@ -21,13 +21,13 @@ case "$1" in
       if [ ! -e "$access_log" ]; then
         touch "$access_log"
         chmod 640 "$access_log"
-        chown www-data:adm "$access_log"
+        chown root:adm "$access_log"
       fi
 
       if [ ! -e "$error_log" ]; then
         touch "$error_log"
         chmod 640 "$error_log"
-        chown www-data:adm "$error_log"
+        chown root:adm "$error_log"
       fi
     fi
 
Index: nginx-1.18.0/debian/nginx-common/usr/share/doc/nginx-common/README.Debian
===================================================================
--- nginx-1.18.0.orig/debian/nginx-common/usr/share/doc/nginx-common/README.Debian
+++ nginx-1.18.0/debian/nginx-common/usr/share/doc/nginx-common/README.Debian
@@ -7,7 +7,7 @@ Noteworthy Changes Wheezy => Jessie
 
 * /var/log/nginx permissions
 
-  /var/log/nginx/ is now not readable by default (www-data:adm 750),
+  /var/log/nginx/* is now not readable by default (root:adm 640),
   If you depend on that you can add a manual override with dpkg-statoverride.
 
 * New upgrade & rotate initscript commands
