The nginx_config and nginx_site resource use insecure default owner/group for files and folders created by nginx_config & nginx_site resources.
The resources use owner nginx_user and nginx_group by default. These default to www-data by default on Debian based distros, allowing any webserver process (f.e. php-fpm) to alter config files or vhost definitions, and create or delete files.
This was already discussed in #572 but the defaults are still insecure.
:pancakes: Cookbook version
12.0.5
:woman_cook: Chef-Infra Version
17.3.48
:tophat: Platform details
Ubuntu 20.04
Steps To Reproduce
Steps to reproduce the behavior:
converge cookbook on Ubuntu 20.04
observe all vhost config files in /etc/nginx/conf.http.d owned by www-data, several folders owned by www-data, nginx.conf owned by www-data
:ghost: Brief Description
The
nginx_configandnginx_siteresource use insecure default owner/group for files and folders created by nginx_config & nginx_site resources.The resources use owner
nginx_userandnginx_groupby default. These default towww-databy default on Debian based distros, allowing any webserver process (f.e. php-fpm) to alter config files or vhost definitions, and create or delete files.This was already discussed in #572 but the defaults are still insecure.
:pancakes: Cookbook version
12.0.5
:woman_cook: Chef-Infra Version
17.3.48
:tophat: Platform details
Ubuntu 20.04
Steps To Reproduce
Steps to reproduce the behavior:
:police_car: Expected behavior
A secure config by default.