OFFLIST Re: Call for testing: nginx 1.20.0 with permission changes on logs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

OFFLIST as it's not directly pertinent to your specific distro pkgs.

but, since you're packaging, fwiw, I take a very different approach than distro-pkgd atm,

  https://download.copr.fedorainfracloud.org/results/pgfed/nginx-mainline/fedora-33-x86_64/02142389-nginx/nginx.spec

that puts runtime service files under /run/nginx and logs under /var/log/nginx, both chown'd as wwwrun:www.

personally, I find it a lot cleaner, easier to manage.  my $0.02, anyway.

that said, I'm very clear 'my' pkg'ing is not even close to release canonical ... i.e., just fyi.




On 4/21/21 1:25 PM, Felix Kaechele via devel wrote:
Dear Fedorans,

Nginx 1.20.0 stable was just released and I took the opportunity to squash some long standing open bugs while updating the package.

The new release is on it's way to updates-testing right now.

I would like to encourage some extra testing for this release as there is one behaviour change, specific to Fedora/EPEL, that may affect some use cases:
The ownership and mode of the log directory has changed to root:root and 700 respectively. Logrotate (if in use) no longer creates the logfiles when rotating and leaves this to nginx which will create them as root:root-owned.
This matches the behaviour of httpd in Fedora.
You may see the effects of this if you are using external tools to process these logs that do not run as root, but as the nginx user instead.

The bugs relating to this are:
- BZ#1390183 CVE-2016-1247 nginx: Local privilege escalation via log files [fedora-all]

- BZ#1683388 Log file ownership created by logrotate inconsistent with the one created by systemd

In my local testing I have not seen any changes to behaviour but I would like to make extra sure everything continues to work as expected for users as this version of the package will make it's way to EPEL 7 as well to replace the EOL version of nginx that is currently packaged there.

Quite a number of other bugs that I deem to have no effect on simple upgrades have made it's way into this release of the package as well. Specifically:
- BZ#1565377 Service reload should check configuration file
- BZ#1708799 Drop nginx requirement on nginx-all-modules
- BZ#1834452 Enable --with-compat configure option
- BZ#1869026 nginx.service fails to parse /run/nginx.pid
- BZ#1943779 nginx.service wants wrong network target - causes race condition on boot

Here are the links to Bodhi for this update. Please test these releases and provide feedback/karma.

Fedora 34: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3aa9ac7fd1
Fedora 33: https://bodhi.fedoraproject.org/updates/FEDORA-2021-10c1cd4cba
Fedora 32: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1556d440ba

Thanks a ton!

Regards,
Felix
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux