The changes in #593 make nginx run as root by default without privilege separation on platform family debian
hrak opened this issue ยท 0 comments
๐ป Brief Description
#593 was supposed to address the issues i reported in #591 but only made things worse. Nginx is now running as root by default on platform_family?('debian')
without privilege separation (not dropping privileges after binding port). This is a serious security issue.
๐ฅ Cookbook version
12.0.6 and up
๐ฉโ๐ณ Chef-Infra Version
17.10.3
๐ฉ Platform details
Ubuntu 20.04
Steps To Reproduce
Steps to reproduce the behavior:
- converge cookbook 12.0.6 or newer
- observe all processes running as root
root 2918 0.0 0.1 56256 5608 ? Ss Jun15 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
root 2612257 0.0 0.1 56956 5524 ? S 10:43 0:00 nginx: worker process
root 2612258 0.0 0.1 56956 5520 ? S 10:43 0:00 nginx: worker process
๐ Expected behavior
expected situation:
I expect the process user to be www-data
on platform family debian
root 642 0.0 0.0 56020 276 ? Ss May19 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 644 0.0 0.0 56812 3720 ? S May19 6:21 nginx: worker process
www-data 645 0.0 0.0 56680 3008 ? S May19 0:00 nginx: worker process
โ Additional context
My initial security issue report: #591
The change that was applied #593
Even though #593 fixed the initial issue of the webserver being able to alter/remove configuration files, it only did it for platform family Debian (apart from creating a large security issue). On all other platforms than Debian the webserver will run as user:groupnginx:nginx
while all configuration objects are owned by nginx:nginx
mode 640. So the main issue at hand here is that the configuration files should have a different owner than the process user.
So i propose:
debian family:
All config files owned by root:root
mode 640 with process user www-data:www-data
the others:
All config files owned by root:root
mode 640 with process user nginx:nginx