From 8257b9e9049a2592c9858941775a11b5a98ec1f7 Mon Sep 17 00:00:00 2001 From: Tom Clegg Date: Sun, 13 Mar 2022 12:50:33 -0400 Subject: [PATCH] 18700: Fix nginx temp dir permissions. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- lib/boot/nginx.go | 23 ++++++----------------- lib/boot/supervisor.go | 4 ++-- lib/install/deps.go | 2 +- sdk/python/tests/nginx.conf | 11 +++++------ sdk/python/tests/run_test_server.py | 5 ++--- 5 files changed, 16 insertions(+), 29 deletions(-) diff --git a/lib/boot/nginx.go b/lib/boot/nginx.go index f212254d23..e67bc1d900 100644 --- a/lib/boot/nginx.go +++ b/lib/boot/nginx.go @@ -12,7 +12,6 @@ import ( "net/url" "os" "os/exec" - "os/user" "path/filepath" "regexp" @@ -117,28 +116,18 @@ func (runNginx) Run(ctx context.Context, fail func(error), super *Supervisor) er } } - args := []string{ - "-g", "error_log stderr info;", - "-g", "pid " + filepath.Join(super.wwwtempdir, "nginx.pid") + ";", - "-c", conffile, - } - // Nginx ignores "user www-data;" when running as a non-root - // user... except that it causes it to ignore our other -g - // options. So we still have to decide for ourselves whether - // it's needed. - if u, err := user.Current(); err != nil { - return fmt.Errorf("user.Current(): %w", err) - } else if u.Uid == "0" { - args = append([]string{"-g", "user www-data;"}, args...) - } + configs := "error_log stderr info; " + configs += "pid " + filepath.Join(super.wwwtempdir, "nginx.pid") + "; " + configs += "user www-data; " super.waitShutdown.Add(1) go func() { defer super.waitShutdown.Done() - fail(super.RunProgram(ctx, ".", runOptions{}, nginx, args...)) + fail(super.RunProgram(ctx, ".", runOptions{}, nginx, "-g", configs, "-c", conffile)) }() // Choose one of the ports where Nginx should listen, and wait - // here until we can connect. If ExternalURL is https://foo (with no port) then we connect to "foo:https" + // here until we can connect. If ExternalURL is https://foo + // (with no port) then we connect to "foo:https" testurl := url.URL(super.cluster.Services.Controller.ExternalURL) if testurl.Port() == "" { testurl.Host = net.JoinHostPort(testurl.Host, testurl.Scheme) diff --git a/lib/boot/supervisor.go b/lib/boot/supervisor.go index 00e981afc5..323f672348 100644 --- a/lib/boot/supervisor.go +++ b/lib/boot/supervisor.go @@ -60,8 +60,8 @@ type Supervisor struct { waitShutdown sync.WaitGroup bindir string - tempdir string - wwwtempdir string + tempdir string // in production mode, this is accessible only to root + wwwtempdir string // in production mode, this is accessible only to www-data configfile string environ []string // for child processes } diff --git a/lib/install/deps.go b/lib/install/deps.go index 414bb48204..6090a51a7f 100644 --- a/lib/install/deps.go +++ b/lib/install/deps.go @@ -220,7 +220,6 @@ func (inst *installCommand) RunCommand(prog string, args []string, stdin io.Read os.Mkdir("/var/lib/arvados", 0755) os.Mkdir("/var/lib/arvados/tmp", 0700) if prod || pkg { - os.Mkdir("/var/lib/arvados/wwwtmp", 0700) u, er := user.Lookup("www-data") if er != nil { err = fmt.Errorf("user.Lookup(%q): %w", "www-data", er) @@ -228,6 +227,7 @@ func (inst *installCommand) RunCommand(prog string, args []string, stdin io.Read } uid, _ := strconv.Atoi(u.Uid) gid, _ := strconv.Atoi(u.Gid) + os.Mkdir("/var/lib/arvados/wwwtmp", 0700) err = os.Chown("/var/lib/arvados/wwwtmp", uid, gid) if err != nil { return 1 diff --git a/sdk/python/tests/nginx.conf b/sdk/python/tests/nginx.conf index bfb1226f7f..25a6f2096d 100644 --- a/sdk/python/tests/nginx.conf +++ b/sdk/python/tests/nginx.conf @@ -3,7 +3,6 @@ # SPDX-License-Identifier: Apache-2.0 daemon off; -error_log "{{ERRORLOG}}" info; # Yes, must be specified here _and_ cmdline events { } http { @@ -11,11 +10,11 @@ http { '[$time_local] "$http_x_request_id" $server_name $status $body_bytes_sent $request_time $request_method "$scheme://$http_host$request_uri" $remote_addr:$remote_port ' '"$http_referer" "$http_user_agent"'; access_log "{{ACCESSLOG}}" customlog; - client_body_temp_path "{{TMPDIR}}/nginx"; - proxy_temp_path "{{TMPDIR}}/nginx"; - fastcgi_temp_path "{{TMPDIR}}/nginx"; - uwsgi_temp_path "{{TMPDIR}}/nginx"; - scgi_temp_path "{{TMPDIR}}/nginx"; + client_body_temp_path "{{TMPDIR}}"; + proxy_temp_path "{{TMPDIR}}"; + fastcgi_temp_path "{{TMPDIR}}"; + uwsgi_temp_path "{{TMPDIR}}"; + scgi_temp_path "{{TMPDIR}}"; upstream controller { server {{LISTENHOST}}:{{CONTROLLERPORT}}; } diff --git a/sdk/python/tests/run_test_server.py b/sdk/python/tests/run_test_server.py index 9f27510f48..6514c2af45 100644 --- a/sdk/python/tests/run_test_server.py +++ b/sdk/python/tests/run_test_server.py @@ -641,7 +641,7 @@ def run_nginx(): nginxconf['SSLKEY'] = os.path.join(SERVICES_SRC_DIR, 'api', 'tmp', 'self-signed.key') nginxconf['ACCESSLOG'] = _logfilename('nginx_access') nginxconf['ERRORLOG'] = _logfilename('nginx_error') - nginxconf['TMPDIR'] = TEST_TMPDIR + nginxconf['TMPDIR'] = TEST_TMPDIR + '/nginx' conftemplatefile = os.path.join(MY_DIRNAME, 'nginx.conf') conffile = os.path.join(TEST_TMPDIR, 'nginx.conf') @@ -656,8 +656,7 @@ def run_nginx(): nginx = subprocess.Popen( ['nginx', - '-g', 'error_log stderr info;', - '-g', 'pid '+_pidfile('nginx')+';', + '-g', 'error_log stderr info; pid '+_pidfile('nginx')+';', '-c', conffile], env=env, stdin=open('/dev/null'), stdout=sys.stderr) _wait_until_port_listens(nginxconf['CONTROLLERSSLPORT']) -- 2.30.2