Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#2600 closed change (fixed)

Normalize ownership and privileges for Nginx logs

Reported by: matze Assignee: matze
Priority: P4 Milestone:
Module: Infrastructure Keywords:
Cc: fred, fhd Blocked By:
Blocking: Platform: Unknown
Ready: yes Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

https://codereview.adblockplus.org/29321355/

Description

Our current setup causes nginx(8) access logs to appear with various different file permissions and group/owner assignments:

mathias@filter20:~$ ls -la /var/log/nginx
total 13644
drwxr-xr-x  2 root  root     4096 May 27 14:52 .
drwxr-xr-x 11 root  root     4096 May 27 14:52 ..
-rw-r-----  1 nginx adm    150048 May 27 15:12 access.log
-rw-r--r--  1 root  root 10207556 May 27 15:12 access_log_easylist_downloads
-rw-r--r--  1 root  root  3570881 May 27 15:12 access_log_notification
-rw-r-----  1 nginx adm     19080 May 27 15:12 error.log

There are other combinations as well. Overall I believe found any combination possible with adm, nginx, root, www-data and various different permissions, e.g. -rw-r--r-- or -rw------.

This is obviously due to the fact that we never explicitely configured these attributes. Since logrotate(8), unless configured otherwise, keeps the current set of permissions, the differences are probably due to past attempts for bypassing some intermediate access issues.

To avoid such issues in the future (and to "clean up our closet"), we should start managing these attributes via Puppet and clean up /var/log/nginx during roll-out.

Ideally all logs would belong to user www-data (the one Nginx runs as) and group adm (which is actually meant for read-only access to `/var/log`).

Change History (6)

comment:1 Changed 5 years ago by fred

What should be the file permissions for all those log files in the directory?
0640? 0644?

Should the directory itself also belong to "www-data.adm"? Or stay at "root.root" as it is in the example?

What should be the permission of the directory itself? Stay at 0755 or also change to something more restrictive like 0750?

comment:2 Changed 5 years ago by matze

Assuming you go with www-data:adm for the file ownership (according to the ticket description), 0640 is perfectly fine.

The directory (/var/log/nginx) should remain in the distribution's default state after installing Nginx through the pacakge manager, which is root:root and 0755.

comment:3 Changed 5 years ago by fred

  • Owner set to fred
  • Tester set to Unknown

comment:4 Changed 5 years ago by fred

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

comment:5 Changed 5 years ago by fred

  • Resolution set to fixed
  • Status changed from reviewing to closed

comment:6 Changed 5 years ago by fred

  • Owner changed from fred to matze
Note: See TracTickets for help on using tickets.