593 was supposed to address the issues i reported in #591 but only made things worse. Nginx is now running as root by default on platform_family?('debian') without privilege separation (not dropping privileges after binding port). This is a serious security issue.
:pancakes: Cookbook version
12.0.6 and up
:woman_cook: Chef-Infra Version
17.10.3
:tophat: Platform details
Ubuntu 20.04
Steps To Reproduce
Steps to reproduce the behavior:
converge cookbook 12.0.6 or newer
observe all processes running as root
root 2918 0.0 0.1 56256 5608 ? Ss Jun15 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
root 2612257 0.0 0.1 56956 5524 ? S 10:43 0:00 nginx: worker process
root 2612258 0.0 0.1 56956 5520 ? S 10:43 0:00 nginx: worker process
:police_car: Expected behavior
expected situation:
I expect the process user to be www-data on platform family debian
root 642 0.0 0.0 56020 276 ? Ss May19 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 644 0.0 0.0 56812 3720 ? S May19 6:21 nginx: worker process
www-data 645 0.0 0.0 56680 3008 ? S May19 0:00 nginx: worker process
:heavy_plus_sign: Additional context
My initial security issue report: #591
The change that was applied #593
Even though #593 fixed the initial issue of the webserver being able to alter/remove configuration files, it only did it for platform family Debian (apart from creating a large security issue). On all other platforms than Debian the webserver will run as user:groupnginx:nginx while all configuration objects are owned by nginx:nginx mode 640. So the main issue at hand here is that the configuration files should have a different owner than the process user.
So i propose:
debian family:
All config files owned by root:root mode 640 with process user www-data:www-data
the others:
All config files owned by root:root mode 640 with process user nginx:nginx
:ghost: Brief Description
593 was supposed to address the issues i reported in #591 but only made things worse. Nginx is now running as root by default on
platform_family?('debian')without privilege separation (not dropping privileges after binding port). This is a serious security issue.:pancakes: Cookbook version
12.0.6 and up
:woman_cook: Chef-Infra Version
17.10.3
:tophat: Platform details
Ubuntu 20.04
Steps To Reproduce
Steps to reproduce the behavior:
:police_car: Expected behavior
expected situation:
I expect the process user to be
www-dataon platform family debian:heavy_plus_sign: Additional context
My initial security issue report: #591 The change that was applied #593
Even though #593 fixed the initial issue of the webserver being able to alter/remove configuration files, it only did it for platform family Debian (apart from creating a large security issue). On all other platforms than Debian the webserver will run as user:group
nginx:nginxwhile all configuration objects are owned bynginx:nginxmode 640. So the main issue at hand here is that the configuration files should have a different owner than the process user.So i propose:
debian family:
All config files owned by
root:rootmode 640 with process userwww-data:www-datathe others:
All config files owned by
root:rootmode 640 with process usernginx:nginx