Your message dated Sat, 16 Jul 2016 18:47:33 -0700
with message-id <[email protected]>
and subject line
has caused the Debian Bug report #819751,
regarding nginx-common: wrong owner for /var/log/nginx and files, causes
dac_override in AA
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
819751: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819751
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nginx-common
Version: 1.6.2-5+deb8u1
Severity: normal
Dear Maintainer,
After using aa-logprof to generate a profile for nginx, it seems that it
requests the dac_override capability because logs are located in a
folder which is not accessible by root thereby causing an access denied
in the logs and preventing the server to start.
I searched bug reports and found the security issue #701112
(CVE-2013-0337) to be what caused the problem in the first place. It
seems that the bug was about the log files being "world readable",
however, now that the log folder is owned by www-data, it means that the
web server process now has full control over the log folder.
I noted that message #44 says that log parsers need www-data on the log
folder to work, however, apache2 package has no issue with its folder
and log files being root:adm/0750.
To fix the issue, used chown -R root:adm /var/log/nginx and replaced
www-data:adm to root:adm in logrotate.d. I can now use an AA profile
without dac_override being set.
-- System Information:
Debian Release: 8.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nginx-common depends on:
ii init-system-helpers 1.22
ii lsb-base 4.1+Debian13+nmu1
nginx-common recommends no packages.
Versions of packages nginx-common suggests:
pn fcgiwrap <none>
pn nginx-doc <none>
pn ssl-cert <none>
-- Configuration Files:
/etc/logrotate.d/nginx changed [not included]
-- no debconf information
--- End Message ---
--- Begin Message ---
Closing for the reasons previously mentioned.
--
Michael Lustfield
--- End Message ---
