#980970 nginx: Owner for /var/log/nginx/*.log should be root and not www-data

Package:
nginx
Source:
nginx
Description:
small, powerful, scalable web/proxy server
Submitter:
Samuel Bizien Filippi
Date:
2021-02-09 19:51:02 UTC
Severity:
minor
Tags:
#980970#5
Date:
2021-01-24 21:43:53 UTC
From:
To:
Dear maintainers,

By default, log files for nginx (acces.log and error.log) are owned by www-data:adm with mode 640.

They should be owned by root, as nginx open these files before dropping privileges. I tried to
confine nginx with systemd options in /etc/systemd/system/nginx.service.d/hardening.conf :

When doing that, nginx fails to start :
CAP_DAC_OVERRIDE to CapabilityBoundingSet (which I'd rather avoid, that's the point of "confinement")

Root-owned nginx log files :
- works as expected (hits & errors show up)
- makes your system more secure (logs are not readable by nginx workers anymore)

I tried to write a patch (attached), but it does not work as expected.

Best regards,

Samuel Bizien Filippi.

#980970#10
Date:
2021-02-09 19:43:36 UTC
From:
To:
Dear maintainers,

After some experiments and research, I found this undocumented hack
that allow to socket-activate nginx :

https://freedesktop.org/wiki/Software/systemd/DaemonSocketActivation/#nginx

This makes possible to run nginx as a standard user (www-data is a good
candidate in this case), but it breaks reloads (ExecReload) and pre-
flight check (ExecStartPre). It can still be a good move for security
reasons : you remove all privileges from nginx process, can drop all
capabilities and can even jail nginx with "PrivateNetwork=true" systemd
option (no access to network).

In this situation, it's a good thing that
/var/log/nginx/{access,error}.log are owned by www-data by default,
since you don't havec to chown them before "jailing" nginx with
systemd.


Conclusion ? Changing owner for root for these log files may not be
helpful for lots of people :

- for people using default configuration, it works anyway
- for people hardening nginx with systemd (dropping capabilities,
running as user ...), log files owned by www-data make it easier to
work with.

So maybe this bug could be closed.

Thanks a lot,

Samuel Bizien Filippi.