Bad permissions in /var/log/nginx after logs are rotated

Hello,

I’m using daemontools to run nginx [1] and I’m experiencing the
following problem when I send the USR1 signal to rotate the logs with
another script [2]:

The problem is that after sending the USR1 signal to nginx, the logs
owner becomes ‘nginx’ instead of ‘root’, which is a potential security
breach.

~ # ls -la /var/log/nginx
total 627
drwxr-xr-x 2 root root 1088 Feb 23 04:29 .
drwxr-xr-x 15 root root 1088 Feb 22 01:27 …
-rw-r–r-- 1 root root 0 Feb 23 04:25 access_log
-rw-r–r-- 1 root root 0 Feb 23 04:25 error_log
-rw-r–r-- 1 root root 19164 Feb 23 04:29 site1.com-access_log
-rw-r–r-- 1 root root 0 Feb 23 04:25 site1.com-error_log
-rw-r–r-- 1 root root 0 Feb 23 04:25 site1.com-ssl_access_log
-rw-r–r-- 1 root root 0 Feb 23 04:25 site1.com-ssl_error_log

~ # nginx-rotate.sh [2]

~ # ls -la /var/log/nginx
total 11
drwxr-xr-x 3 root root 1112 Feb 23 04:29 .
drwxr-xr-x 15 root root 1088 Feb 22 01:27 …
drwxr-xr-x 2 root root 1088 Feb 23 04:29 old
-rw-r–r-- 1 nginx root 0 Feb 23 04:29 access_log
-rw-r–r-- 1 nginx root 0 Feb 23 04:29 error_log
-rw-r–r-- 1 nginx root 123 Feb 23 04:29 site1.com-access_log
-rw-r–r-- 1 nginx root 0 Feb 23 04:29 site1.com-error_log
-rw-r–r-- 1 nginx root 0 Feb 23 04:29 site1.com-ssl_access_log
-rw-r–r-- 1 nginx root 0 Feb 23 04:29 site1.com-ssl_error_log

If instead of this if I restart [3] the nginx process or send the HUP
signal [4] then the log files permissions remains correct (owned by
root).

I’m not sure if this is a bug or a known issue but I appreciate any
clarifications.

Thanks.

[1] nginx daemontools startup script:
#! /bin/sh -

exec 2>&1
exec /srv/sbin/nginx -c /srv/etc/nginx/nginx.conf

[2] nginx log rotation script
#! /bin/sh -

cd /var/log/nginx
mkdir -p old
mv *_log old

kill -USR1 cat /var/run/nginx.pid

sudo -u user /home/user/awstats.sh
rm /var/log/nginx/old/*access_log

[3]

Send TERM signal

svc -t /service/nginx

OR stop and start

svc -d /service/nginx

… rotate logs

svc -u /service/nginx

[4]
svc -h /service/nginx

On Tue, Feb 23, 2010 at 07:13:16AM -0300, Juan Fco. Giordana wrote:

~ # ls -la /var/log/nginx
~ # nginx-rotate.sh [2]
-rw-r–r-- 1 nginx root 0 Feb 23 04:29 site1.com-ssl_access_log
-rw-r–r-- 1 nginx root 0 Feb 23 04:29 site1.com-ssl_error_log

If instead of this if I restart [3] the nginx process or send the HUP
signal [4] then the log files permissions remains correct (owned by root).

I’m not sure if this is a bug or a known issue but I appreciate any
clarifications.

This is by design: workers are not restarted on USR1 signal, therefore
master sets file onwer so workers are able to open the new logs files.
I do not consdier this as a potential security breach, since workers
anyway write to these files.


Igor S.
http://sysoev.ru/en/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs