Opened 10 years ago
#704 new defect
Nginx configure script can't detect groups reliably
| Reported by: | Gavin Chappell | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.0.x |
| Keywords: | Cc: | ||
| uname -a: | Linux microserver 3.16.0-29-generic #39-Ubuntu SMP Mon Dec 15 22:27:29 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.6.2 (Ubuntu)
TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module |
||
Description
As part of auto/unix, the configure scripts attempt to detect a "nobody" group by doing "grep nobody /etc/group"
However, if you have a nobody user in a different group, but no nobody group present on your box, then this test will pass incorrectly. For example, consider the following:
/etc/passwd: nobody:x:65534:65534:Nobody:/dev/null:/sbin/nologin /etc/group: users:x:1000:nobody
In this situation, the configure script will try and test for a group called "nobody", but because the grep isn't anchored to the start of the line and doesn't have any context (i.e. the trailing colon) then the "users..." line matches the grep and nginx will compile with "nobody" as its default group.
If this binary is then run without a "user" directive in its config file, nginx will fail to start because it can't drop privileges to the "nobody" group since it doesn't exist.
