Opened 8 years ago
Closed 8 years ago
#1096 closed defect (fixed)
dav_access user:r is not respected
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | 1.11.x |
Keywords: | Cc: | bertrand@… | |
uname -a: | Linux e3 3.18.42-longterm #1 SMP Sun Sep 25 16:38:58 CEST 2016 x86_64 Intel(R) Xeon(R) CPU 5150 @ 2.66GHz GenuineIntel GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.11.4
built with OpenSSL 1.0.2h 3 May 2016 (running with OpenSSL 1.0.2j 26 Sep 2016) TLS SNI support enabled configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --with-cc-opt=-I/usr/include --with-ld-opt=-L/usr/lib64 --http-log-path=/var/log/nginx/access_log --http-client-body-temp-path=/var/lib/nginx/tmp/client --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --with-file-aio --with-http_v2_module --with-ipv6 --with-pcre --with-pcre-jit --without-http_browser_module --without-http_empty_gif_module --without-http_geo_module --without-http_limit_req_module --without-http_limit_conn_module --without-http_memcached_module --without-http_proxy_module --without-http_referer_module --without-http_scgi_module --without-http_ssi_module --without-http_split_clients_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_keepalive_module --without-http_upstream_least_conn_module --without-http_upstream_zone_module --without-http_userid_module --without-http_uwsgi_module --with-http_dav_module --with-http_realip_module --with-http_stub_status_module --with-http_realip_module --add-module=external_module/ngx-fancyindex-0.4.1 --add-module=external_module/ngx_http_auth_pam_module-1.5.1 --add-module=external_module/nginx-rtmp-module-1.1.9 --add-module=external_module/nginx-dav-ext-module-0.0.3 --with-http_ssl_module --without-stream_access_module --without-stream_geo_module --without-stream_limit_conn_module --without-stream_map_module --without-stream_return_module --without-stream_split_clients_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --user=nginx --group=nginx |
Description
Hi,
Configuration including 'dav_access user:r' is not respected, files are created with permission '-rw-------', instead of '-r--------'.
My purpose here is to make sure a file will never be overwritten.
$ cat /etc/nginx/nginx.conf user nginx nginx; worker_processes 1; error_log syslog:server=unix:/dev/log,facility=local7,severity=error info; pcre_jit on; events { worker_connections 1024; use epoll; } http { disable_symlinks if_not_owner; etag off; if_modified_since exact; server_tokens off; include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$gzip_ratio"'; client_body_temp_path /var/nginx/tmp; index index.html; server { listen 127.0.0.1:80; server_name localhost; access_log syslog:server=unix:/dev/log,facility=local7,severity=info combined; error_log syslog:server=unix:/dev/log,facility=local7,severity=error info; root /var/nginx/www-root; dav_methods PUT; dav_access user:r; create_full_put_path on; autoindex on; } }
$ curl -T /etc/fstab -D - http://127.0.0.1 HTTP/1.1 100 Continue HTTP/1.1 204 No Content Server: nginx Date: Thu, 06 Oct 2016 00:12:15 GMT Connection: keep-alive
$ stat /var/nginx/www-root/fstab File: '/var/nginx/www-root/fstab' Size: 950 Blocks: 8 IO Block: 4096 regular file Device: 6811h/26641d Inode: 3281364 Links: 1 Access: (0600/-rw-------) Uid: ( 1042/nginx) Gid: ( 1042/ nginx) Access: 2016-10-06 02:12:15.867658907 +0200 Modify: 2016-10-06 02:12:15.867658907 +0200 Change: 2016-10-06 02:12:15.867658907 +0200 Birth: -
Note:
See TracTickets
for help on using tickets.
Confirmed,
ngx_conf_set_access_slot()
unconditionally set access mask to0600
and only extends it then. Try the following patch: