Opened 8 years ago
Closed 8 years ago
#1096 closed defect (fixed)
dav_access user:r is not respected
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | other | Version: | 1.11.x |
| Keywords: | Cc: | bertrand@… | |
| uname -a: | Linux e3 3.18.42-longterm #1 SMP Sun Sep 25 16:38:58 CEST 2016 x86_64 Intel(R) Xeon(R) CPU 5150 @ 2.66GHz GenuineIntel GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.11.4
built with OpenSSL 1.0.2h 3 May 2016 (running with OpenSSL 1.0.2j 26 Sep 2016) TLS SNI support enabled configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --with-cc-opt=-I/usr/include --with-ld-opt=-L/usr/lib64 --http-log-path=/var/log/nginx/access_log --http-client-body-temp-path=/var/lib/nginx/tmp/client --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --with-file-aio --with-http_v2_module --with-ipv6 --with-pcre --with-pcre-jit --without-http_browser_module --without-http_empty_gif_module --without-http_geo_module --without-http_limit_req_module --without-http_limit_conn_module --without-http_memcached_module --without-http_proxy_module --without-http_referer_module --without-http_scgi_module --without-http_ssi_module --without-http_split_clients_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_keepalive_module --without-http_upstream_least_conn_module --without-http_upstream_zone_module --without-http_userid_module --without-http_uwsgi_module --with-http_dav_module --with-http_realip_module --with-http_stub_status_module --with-http_realip_module --add-module=external_module/ngx-fancyindex-0.4.1 --add-module=external_module/ngx_http_auth_pam_module-1.5.1 --add-module=external_module/nginx-rtmp-module-1.1.9 --add-module=external_module/nginx-dav-ext-module-0.0.3 --with-http_ssl_module --without-stream_access_module --without-stream_geo_module --without-stream_limit_conn_module --without-stream_map_module --without-stream_return_module --without-stream_split_clients_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --user=nginx --group=nginx |
||
Description
Hi,
Configuration including 'dav_access user:r' is not respected, files are created with permission '-rw-------', instead of '-r--------'.
My purpose here is to make sure a file will never be overwritten.
$ cat /etc/nginx/nginx.conf
user nginx nginx;
worker_processes 1;
error_log syslog:server=unix:/dev/log,facility=local7,severity=error info;
pcre_jit on;
events {
worker_connections 1024;
use epoll;
}
http {
disable_symlinks if_not_owner;
etag off;
if_modified_since exact;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
client_body_temp_path /var/nginx/tmp;
index index.html;
server {
listen 127.0.0.1:80;
server_name localhost;
access_log syslog:server=unix:/dev/log,facility=local7,severity=info combined;
error_log syslog:server=unix:/dev/log,facility=local7,severity=error info;
root /var/nginx/www-root;
dav_methods PUT;
dav_access user:r;
create_full_put_path on;
autoindex on;
}
}
$ curl -T /etc/fstab -D - http://127.0.0.1 HTTP/1.1 100 Continue HTTP/1.1 204 No Content Server: nginx Date: Thu, 06 Oct 2016 00:12:15 GMT Connection: keep-alive
$ stat /var/nginx/www-root/fstab File: '/var/nginx/www-root/fstab' Size: 950 Blocks: 8 IO Block: 4096 regular file Device: 6811h/26641d Inode: 3281364 Links: 1 Access: (0600/-rw-------) Uid: ( 1042/nginx) Gid: ( 1042/ nginx) Access: 2016-10-06 02:12:15.867658907 +0200 Modify: 2016-10-06 02:12:15.867658907 +0200 Change: 2016-10-06 02:12:15.867658907 +0200 Birth: -
Note:
See TracTickets
for help on using tickets.
Confirmed,
ngx_conf_set_access_slot()unconditionally set access mask to0600and only extends it then. Try the following patch:# HG changeset patch # User Maxim Dounin <mdounin@mdounin.ru> # Date 1475770303 -10800 # Thu Oct 06 19:11:43 2016 +0300 # Node ID 4bf4b60684f4e4b02a342b8fb354375e482d7362 # Parent 6980c52f986bc28e4a0e712e1b0fb796c09cf003 Core: ngx_conf_set_access_slot() user access. Previously, user access bits were always set to "rw" unconditionally, even with "user:r" explicitly specified. With this change we only add default user access bits (0600) if they weren't set explicitly. diff --git a/src/core/ngx_file.c b/src/core/ngx_file.c --- a/src/core/ngx_file.c +++ b/src/core/ngx_file.c @@ -441,7 +441,7 @@ ngx_conf_set_access_slot(ngx_conf_t *cf, u_char *p; ngx_str_t *value; - ngx_uint_t i, right, shift, *access; + ngx_uint_t i, right, shift, *access, user; access = (ngx_uint_t *) (confp + cmd->offset); @@ -451,7 +451,8 @@ ngx_conf_set_access_slot(ngx_conf_t *cf, value = cf->args->elts; - *access = 0600; + *access = 0; + user = 0600; for (i = 1; i < cf->args->nelts; i++) { @@ -460,6 +461,7 @@ ngx_conf_set_access_slot(ngx_conf_t *cf, if (ngx_strncmp(p, "user:", sizeof("user:") - 1) == 0) { shift = 6; p += sizeof("user:") - 1; + user = 0; } else if (ngx_strncmp(p, "group:", sizeof("group:") - 1) == 0) { shift = 3; @@ -486,6 +488,8 @@ ngx_conf_set_access_slot(ngx_conf_t *cf, *access |= right << shift; } + *access |= user; + return NGX_CONF_OK; invalid: