4 | | * Make a !AppArmor profile which removes dac_override and chown capabilities from Nginx. |
5 | | * Set-up logrotate to create files as root:adm/0640. |
6 | | * Set-up logrotate to issue a SIGHUP instead of SIGUSR1. |
7 | | * chown/chmod /var/log/nginx |
8 | | * Enforce profile and restart Nginx. |
| 4 | 1. Make a !AppArmor profile which removes chown capability from Nginx. |
| 5 | 1. chown -R root:adm /var/log/nginx |
| 6 | 1. chmod 0755 /var/log/nginx |
| 7 | 1. chmod 0640 /var/log/nginx/* |
| 8 | 1. Setup logrotate to create files as www-data:adm/0640. |
| 9 | 1. Setup logrotate post-rotate to invoke-rc.d nginx rotate, then, chown root /var/log/nginx/*.log |
10 | | However, this proves to be dangerous in case a configuration has been changed without a reload overnight. Other than that, the child processes can't write to any log. |
| 11 | |
| 12 | /etc/apparmor.d/usr.sbin.nginx |
| 13 | {{{ |
| 14 | #include <tunables/global> |
| 15 | |
| 16 | /usr/sbin/nginx { |
| 17 | #include <abstractions/base> |
| 18 | #include <abstractions/nameservice> |
| 19 | |
| 20 | deny capability chown, |
| 21 | |
| 22 | capability dac_override, |
| 23 | capability net_bind_service, |
| 24 | capability setgid, |
| 25 | capability setuid, |
| 26 | |
| 27 | |
| 28 | /etc/nginx/** r, |
| 29 | /etc/ssl/certs/** r, |
| 30 | /etc/ssl/openssl.cnf r, |
| 31 | /run/nginx.pid rw, |
| 32 | /run/nginx.pid.oldbin rw, |
| 33 | /usr/lib/nginx/modules/*.so mr, |
| 34 | /usr/sbin/nginx mr, |
| 35 | /usr/share/nginx/** r, |
| 36 | /var/cache/nginx/ rw, |
| 37 | /var/cache/nginx/** rw, |
| 38 | /var/lib/nginx/ r, |
| 39 | /var/lib/nginx/** rw, |
| 40 | /var/log/nginx/*.log w, |
| 41 | /var/log/nginx/*.log.1 w, |
| 42 | /var/www/** r, |
| 43 | |
| 44 | #include <nginx.d> |
| 45 | #include <local/usr.sbin.nginx> |
| 46 | } |
| 47 | }}} |
| 48 | |
| 49 | /etc/logrotate.d/nginx |
| 50 | {{{ |
| 51 | /var/log/nginx/*.log { |
| 52 | ... |
| 53 | create 0640 www-data adm |
| 54 | postrotate |
| 55 | invoke-rc.d nginx rotate >/dev/null 2>&1 |
| 56 | sleep 2 |
| 57 | chown root:adm /var/log/nginx/*.log |
| 58 | endscript |
| 59 | } |
| 60 | }}} |
| 61 | |
| 62 | EDIT: Updated procedure to prevent having to reload nginx. |