Opened 7 years ago

Closed 7 years ago

#359 closed enhancement (fixed)

DENY ALL ignored when using unix sockets

Reported by: Jevgeni Kiski Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.2.x
Keywords: Cc:
uname -a: Linux server 3.8.0-19-generic #30-Ubuntu SMP Wed May 1 16:35:23 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.2.6 (Ubuntu)
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/home/user/nginx-1.2.6/debian/modules/nginx-auth-pam --add-module=/home/user/nginx-1.2.6/debian/modules/nginx-echo --add-module=/home/user/nginx-1.2.6/debian/modules/nginx-upstream-fair --add-module=/home/user/nginx-1.2.6/debian/modules/nginx-dav-ext-module --add-module=/home/user/nginx-1.2.6/debian/modules/nginx-rtmp-module

Description

HowTo reproduce:

Lets create a folder in /tmp with a file
mkdir /tmp/secure
echo 'My secret' > /tmp/secure/secret.txt

Then lets create a virtual server that listens to an unix socket:

server {
        server_name _;
        listen unix:/var/run/secure.sock;
        root /tmp/secure;

        deny all;

        location / {
                index index.html;
        }
}

Note: I also added deny all inside server block

in main server configuration we add proxy_pass to our newly created "secure" virtual server

location ^~ /secure/ {
  proxy_pass http://unix:/var/run/secure.sock:/;
}

reloading configuration and trying to access http://localhost/secure/secret.txt

We got contents! How? Deny all did not work

Expected:
403 Forbidden
Received:
200 OK with contents

Testing same thing but with ports:
Replacing sockets with ports:

server {
        server_name _;
        listen 8080;
        root /tmp/secure;

        deny all;

        location / {
                index index.html;
        }
}

And main server:

location ^~ /secure/ {
  proxy_pass http://0.0.0.0:8080/;
}

Reloading configuration and trying to access http://localhost/secure/secret.txt
403 Forbidden. As expected!

Change History (5)

comment:1 by Maxim Dounin, 7 years ago

Priority: majorminor
Type: defectenhancement

Yes, the deny/allow directives are only able to work with IPv4 and IPv6 addresses. Support for unix socket clients should be added, see http://mailman.nginx.org/pipermail/nginx-devel/2013-May/003752.html.

comment:2 by Maxim Dounin, 7 years ago

Status: newaccepted

comment:3 by Jevgeni Kiski, 7 years ago

This looks like a security issue to me. It would be great to update documentation so people would know that access control is not supported for unix sockets. http://nginx.org/en/docs/http/ngx_http_access_module.html

comment:4 by Ruslan Ermilov <ru@…>, 7 years ago

In 00dbfac67e48a8fe20802287b6fca50950178b8b/nginx:

Access: support for UNIX-domain client addresses (ticket #359).

comment:5 by Ruslan Ermilov, 7 years ago

Resolution: fixed
Status: acceptedclosed
Note: See TracTickets for help on using tickets.