From 12b3f0567ca23ca1743abc807160e44f9d4726e2 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Mon, 1 Oct 2018 00:05:06 +0200 Subject: [PATCH] Fix logging setup on Debian This mitigates DSA-3701 / CVE-2016-1247 and matches the default setup on Debian. https://www.debian.org/security/2016/dsa-3701 https://security-tracker.debian.org/tracker/CVE-2016-1247 --- manifests/config.pp | 3 ++- manifests/init.pp | 7 ++++--- manifests/params.pp | 22 +++++++++++++++------- spec/classes/nginx_spec.rb | 4 ++-- 4 files changed, 23 insertions(+), 13 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 1ede16a78..36dda251e 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -29,6 +29,7 @@ $global_group = $nginx::global_group $global_mode = $nginx::global_mode $log_dir = $nginx::log_dir + $log_user = $nginx::log_user $log_group = $nginx::log_group $log_mode = $nginx::log_mode $http_access_log = $nginx::http_access_log @@ -178,7 +179,7 @@ file { $log_dir: ensure => directory, mode => $log_mode, - owner => $daemon_user, + owner => $log_user, group => $log_group, } diff --git a/manifests/init.pp b/manifests/init.pp index c9de9a4c8..27d91be90 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -37,9 +37,10 @@ $global_owner = $nginx::params::global_owner, $global_group = $nginx::params::global_group, $global_mode = $nginx::params::global_mode, - $log_dir = $nginx::params::log_dir, - $log_group = $nginx::params::log_group, - $log_mode = '0750', + Stdlib::Absolutepath $log_dir = $nginx::params::log_dir, + String $log_user = $nginx::params::log_user, + String $log_group = $nginx::params::log_group, + Stdlib::Filemode $log_mode = $nginx::params::log_mode, Variant[String, Array[String]] $http_access_log = "${log_dir}/${nginx::params::http_access_log_file}", $http_format_log = undef, Variant[String, Array[String]] $nginx_error_log = "${log_dir}/${nginx::params::nginx_error_log_file}", diff --git a/manifests/params.pp b/manifests/params.pp index d69b36b9a..cf6f3d403 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -7,13 +7,15 @@ ### Operating System Configuration ## This is my hacky... no hiera system. Oh well. :) $_module_defaults = { - 'conf_dir' => '/etc/nginx', - 'daemon_user' => 'nginx', - 'pid' => '/var/run/nginx.pid', - 'root_group' => 'root', - 'log_dir' => '/var/log/nginx', - 'log_group' => 'root', - 'run_dir' => '/var/nginx', + 'conf_dir' => '/etc/nginx', + 'daemon_user' => 'nginx', + 'pid' => '/var/run/nginx.pid', + 'root_group' => 'root', + 'log_dir' => '/var/log/nginx', + 'log_user' => 'nginx', + 'log_group' => 'root', + 'log_mode' => '0755', + 'run_dir' => '/var/nginx', 'package_name' => 'nginx', 'manage_repo' => false, 'mime_types' => { @@ -109,12 +111,16 @@ $_module_os_overrides = { 'manage_repo' => true, 'daemon_user' => 'www-data', + 'log_user' => 'root', 'log_group' => 'adm', + 'log_mode' => '0755', } } else { $_module_os_overrides = { 'daemon_user' => 'www-data', + 'log_user' => 'root', 'log_group' => 'adm', + 'log_mode' => '0755', } } } @@ -178,7 +184,9 @@ ### Referenced Variables $conf_dir = $_module_parameters['conf_dir'] $log_dir = $_module_parameters['log_dir'] + $log_user = $_module_parameters['log_user'] $log_group = $_module_parameters['log_group'] + $log_mode = $_module_parameters['log_mode'] $run_dir = $_module_parameters['run_dir'] $temp_dir = '/tmp' $pid = $_module_parameters['pid'] diff --git a/spec/classes/nginx_spec.rb b/spec/classes/nginx_spec.rb index 24e0e3838..930867236 100644 --- a/spec/classes/nginx_spec.rb +++ b/spec/classes/nginx_spec.rb @@ -360,9 +360,9 @@ it do is_expected.to contain_file('/var/log/nginx').with( ensure: 'directory', - owner: 'www-data', + owner: 'root', group: 'adm', - mode: '0750' + mode: '0755' ) end end