mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
ff27e416e7
To correctly be safe for CVE-2016-1247, we need all nginx log dirs to be owned by both user and group root. Also, since nginx childs runs as http user, the directories permissions must be 0755, so the http user can descent into it. Since the logrotate will create the log files as http:log, the nginx childs will be able to write to the logs, but will not be able to create files inside those dirs, fully preventing CVE-2016-1247.
16 lines
342 B
YAML
16 lines
342 B
YAML
---
|
|
|
|
- name: set up nginx
|
|
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/mailman.conf owner=root group=root mode=644
|
|
notify:
|
|
- reload nginx
|
|
tags:
|
|
- nginx
|
|
|
|
- name: make nginx log dir
|
|
file: path=/var/log/nginx/{{ mailman_domain }} state=directory owner=root group=root mode=0755
|
|
when: archweb_site
|
|
tags:
|
|
- nginx
|
|
|