[nginx] [Security] privilege escalation (CVE-2016-1247)
Summary
=======
The package nginx is vulnerable to privilege escalation via CVE-2016-1247.
Guidance
========
The current permission setup on /var/log/nginx/ allows the privilege escalation to happen. We should adapt (like nearly all distros).
> ls -ld /var/log/nginx
drwxr-x--- 2 http log 4096 Jan 8 00:00 /var/log/nginx
To mitigate this issue, this should be:
> ls -ld /var/log/nginx
drwxr-xr-x 2 root root 20480 Jan 14 06:25 /var/log/nginx/
References
==========
https://security.archlinux.org/AVG-138
https://security.archlinux.org/CVE-2016-1247
https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html