mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-06-09 23:36:21 +02:00
roles/*: Fix nginx log dir permissions
To correctly be safe for CVE-2016-1247, we need all nginx log dirs to be owned by both user and group root. Also, since nginx childs runs as http user, the directories permissions must be 0755, so the http user can descent into it. Since the logrotate will create the log files as http:log, the nginx childs will be able to write to the logs, but will not be able to create files inside those dirs, fully preventing CVE-2016-1247.
This commit is contained in:
Giancarlo Razzolini
parent
2c353e4ee7
commit
ff27e416e7
|
|
@ -20,7 +20,7 @@
|
|||
when: archweb_site
|
||||
|
||||
- name: make nginx log dir
|
||||
file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=log mode=750
|
||||
file: path=/var/log/nginx/{{ archweb_domain }} state=directory owner=root group=root mode=0755
|
||||
when: archweb_site
|
||||
|
||||
- name: make rsync iso dir
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@
|
|||
- reload nginx
|
||||
|
||||
- name: make nginx log dir
|
||||
file: path=/var/log/nginx/{{ flyspray_domain }} state=directory owner=root group=log mode=750
|
||||
file: path=/var/log/nginx/{{ flyspray_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: create setup dir with write permissions
|
||||
file: state=directory owner="{{ flyspray_user }}" group="{{ flyspray_user }}" path="{{ flyspray_dir }}/setup" mode=755
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
- nginx
|
||||
|
||||
- name: make nginx log dir
|
||||
file: path=/var/log/nginx/{{ mailman_domain }} state=directory owner=root group=log mode=750
|
||||
file: path=/var/log/nginx/{{ mailman_domain }} state=directory owner=root group=root mode=0755
|
||||
when: archweb_site
|
||||
tags:
|
||||
- nginx
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@
|
|||
file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755
|
||||
|
||||
- name: create default nginx log directory
|
||||
file: state=directory path=/var/log/nginx/default owner=root group=log mode=0750
|
||||
file: state=directory path=/var/log/nginx/default owner=root group=root mode=0755
|
||||
|
||||
- name: create unique DH group
|
||||
command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
- reload nginx
|
||||
|
||||
- name: make nginx log dir
|
||||
file: path=/var/log/nginx/{{ patchwork_domain }} state=directory owner=root group=log mode=750
|
||||
file: path=/var/log/nginx/{{ patchwork_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: deploy maintenance page
|
||||
template: src=503.html.j2 dest="{{ patchwork_dir }}/503.html" owner=patchwork group=patchwork mode=644
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
- reload nginx
|
||||
|
||||
- name: make nginx log dir
|
||||
file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=root group=log mode=0750
|
||||
file: path=/var/log/nginx/{{ planet_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: clone planet git repo
|
||||
git: dest={{ planet_dir }} repo=https://git.archlinux.org/vhosts/planet.archlinux.org.git
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@
|
|||
- generate-public_html.service
|
||||
|
||||
- name: make nginx log dir
|
||||
file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=log mode=750
|
||||
file: path=/var/log/nginx/{{ public_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: set up nginx
|
||||
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/public_html.conf owner=root group=root mode=0644
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@
|
|||
- reload nginx
|
||||
|
||||
- name: make nginx log dir
|
||||
file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=log mode=750
|
||||
file: path=/var/log/nginx/{{ security_tracker_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: copy security-tracker units
|
||||
copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
- reload nginx
|
||||
|
||||
- name: make nginx log dir
|
||||
file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=root group=log mode=0750
|
||||
file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: make sources dir
|
||||
file: path={{ sources_dir }} state=directory owner=root group=root mode=0755
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@
|
|||
create: true
|
||||
|
||||
- name: make nginx log dir
|
||||
file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=log mode=750
|
||||
file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: set up nginx
|
||||
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/syncrepo.conf owner=root group=root mode=0644
|
||||
|
|
|
|||
Loading…
Reference in New Issue