Opened 10 years ago

#704 new defect

Nginx configure script can't detect groups reliably

Reported by: Gavin Chappell Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.0.x
Keywords: Cc:
uname -a: Linux microserver 3.16.0-29-generic #39-Ubuntu SMP Mon Dec 15 22:27:29 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.6.2 (Ubuntu)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module

Description

As part of auto/unix, the configure scripts attempt to detect a "nobody" group by doing "grep nobody /etc/group"

However, if you have a nobody user in a different group, but no nobody group present on your box, then this test will pass incorrectly. For example, consider the following:

/etc/passwd:
nobody:x:65534:65534:Nobody:/dev/null:/sbin/nologin

/etc/group:
users:x:1000:nobody

In this situation, the configure script will try and test for a group called "nobody", but because the grep isn't anchored to the start of the line and doesn't have any context (i.e. the trailing colon) then the "users..." line matches the grep and nginx will compile with "nobody" as its default group.

If this binary is then run without a "user" directive in its config file, nginx will fail to start because it can't drop privileges to the "nobody" group since it doesn't exist.

Change History (0)

Note: See TracTickets for help on using tickets.