Changes between Version 1 and Version 2 of Ticket #376, comment 4


Ignore:
Timestamp:
02/07/17 15:37:23 (7 years ago)
Author:
Jérôme Poulin

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #376, comment 4

    v1 v2  
    22
    33The workaround we're using is:
    4 * Make a !AppArmor profile which removes dac_override and chown capabilities from Nginx.
    5 * Set-up logrotate to create files as root:adm/0640.
    6 * Set-up logrotate to issue a SIGHUP instead of SIGUSR1.
    7 * chown/chmod /var/log/nginx
    8 * Enforce profile and restart Nginx.
     41. Make a !AppArmor profile which removes chown capability from Nginx.
     51. chown -R root:adm /var/log/nginx
     61. chmod 0755 /var/log/nginx
     71. chmod 0640 /var/log/nginx/*
     81. Setup logrotate to create files as www-data:adm/0640.
     91. Setup logrotate post-rotate to invoke-rc.d nginx rotate, then, chown root /var/log/nginx/*.log
    910
    10 However, this proves to be dangerous in case a configuration has been changed without a reload overnight. Other than that, the child processes can't write to any log.
     11
     12/etc/apparmor.d/usr.sbin.nginx
     13{{{
     14#include <tunables/global>
     15
     16/usr/sbin/nginx {
     17  #include <abstractions/base>
     18  #include <abstractions/nameservice>
     19
     20  deny capability chown,
     21
     22  capability dac_override,
     23  capability net_bind_service,
     24  capability setgid,
     25  capability setuid,
     26
     27
     28  /etc/nginx/** r,
     29  /etc/ssl/certs/** r,
     30  /etc/ssl/openssl.cnf r,
     31  /run/nginx.pid rw,
     32  /run/nginx.pid.oldbin rw,
     33  /usr/lib/nginx/modules/*.so mr,
     34  /usr/sbin/nginx mr,
     35  /usr/share/nginx/** r,
     36  /var/cache/nginx/ rw,
     37  /var/cache/nginx/** rw,
     38  /var/lib/nginx/ r,
     39  /var/lib/nginx/** rw,
     40  /var/log/nginx/*.log w,
     41  /var/log/nginx/*.log.1 w,
     42  /var/www/** r,
     43
     44  #include <nginx.d>
     45  #include <local/usr.sbin.nginx>
     46}
     47}}}
     48
     49/etc/logrotate.d/nginx
     50{{{
     51/var/log/nginx/*.log {
     52...
     53    create 0640 www-data adm
     54    postrotate
     55        invoke-rc.d nginx rotate >/dev/null 2>&1
     56        sleep 2
     57        chown root:adm /var/log/nginx/*.log
     58    endscript
     59}
     60}}}
     61
     62EDIT: Updated procedure to prevent having to reload nginx.