diff options
author | Thomas Deutschmann <whissi@gentoo.org> | 2017-01-08 00:29:14 +0100 |
---|---|---|
committer | Thomas Deutschmann <whissi@gentoo.org> | 2017-01-08 00:30:45 +0100 |
commit | 7e9a4ebc9ca7bb35814cacf85c9a28cdab6fdf9f (patch) | |
tree | 687b76b9adf13c4cba39b8adf899249a68ec1e67 /www-servers/nginx/files/nginx.initd-r4 | |
parent | virtual/perl-IO-Socket-IP: Spread missing keywords from dev-lang/perl (diff) | |
download | gentoo-7e9a4ebc9ca7bb35814cacf85c9a28cdab6fdf9f.tar.gz gentoo-7e9a4ebc9ca7bb35814cacf85c9a28cdab6fdf9f.tar.bz2 gentoo-7e9a4ebc9ca7bb35814cacf85c9a28cdab6fdf9f.zip |
www-servers/nginx: rev bump to fix CVE-2016-1247 (bug #605008)
Ebuild changes:
===============
- Rewritten pkg_postinst for a better user experience
- Package tries to show warnings/notices only when really needed
- Permission checks should now be more reliable, i.e. working when
switching between stable (:0) and mainline (:mainline) slot.
- An additional sanity check will make sure that at least permissions on
"/var/log/nginx" will prevent a known root privilege escalation
- Permissions on "/var/log/nginx" changed to 0710 and owner changed to
0:nginx to fix CVE-2016-1247 (bug #tba)
- Runscript: Bashisms removed
- User is now able to control most runscript options like used nginx'
config file, pidfile, user/group, start-stop-daemon arguments ... through
"/etc/conf.d/nginx"
Package-Manager: Portage-2.3.3, Repoman-2.3.1
Diffstat (limited to 'www-servers/nginx/files/nginx.initd-r4')
-rw-r--r-- | www-servers/nginx/files/nginx.initd-r4 | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/www-servers/nginx/files/nginx.initd-r4 b/www-servers/nginx/files/nginx.initd-r4 new file mode 100644 index 000000000000..1b7385f80c3f --- /dev/null +++ b/www-servers/nginx/files/nginx.initd-r4 @@ -0,0 +1,93 @@ +#!/sbin/openrc-run +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +extra_commands="configtest" +extra_started_commands="upgrade reload" + +description="Robust, small and high performance http and reverse proxy server" +description_configtest="Run nginx' internal config check." +description_upgrade="Upgrade the nginx binary without losing connections." +description_reload="Reload the nginx configuration without losing connections." + +NGINX_CONFIGFILE=${NGINX_CONFIGFILE:-/etc/nginx/nginx.conf} + +command="/usr/sbin/nginx" +command_args="-c \"${NGINX_CONFIGFILE}\"" +start_stop_daemon_args=${NGINX_SSDARGS:-"--wait 1000"} +pidfile=${NGINX_PIDFILE:-/run/nginx.pid} +user=${NGINX_USER:-nginx} +group=${NGINX_GROUP:-nginx} +retry=${NGINX_TERMTIMEOUT:-"TERM/60/KILL/5"} + +depend() { + need net + use dns logger netmount +} + +start_pre() { + if [ "${RC_CMD}" != "restart" ]; then + configtest || return 1 + fi +} + +stop_pre() { + if [ "${RC_CMD}" = "restart" ]; then + configtest || return 1 + fi +} + +stop_post() { + rm -f ${pidfile} +} + +reload() { + configtest || return 1 + ebegin "Refreshing nginx' configuration" + start-stop-daemon --signal SIGHUP --pidfile "${pidfile}" + eend $? "Failed to reload nginx" +} + +upgrade() { + configtest || return 1 + ebegin "Upgrading nginx" + + einfo "Sending USR2 to old binary" + start-stop-daemon --signal SIGUSR2 --pidfile "${pidfile}" + + einfo "Sleeping 3 seconds before pid-files checking" + sleep 3 + + if [ ! -f "${pidfile}.oldbin" ]; then + eerror "File with old pid not found" + return 1 + fi + + if [ ! -f "${pidfile}" ]; then + eerror "New binary failed to start" + return 1 + fi + + einfo "Sleeping 3 seconds before WINCH" + sleep 3 + # Cannot send "WINCH" using start-stop-daemon yet, https://bugs.gentoo.org/604986 + kill -WINCH $(cat "${pidfile}.oldbin") + + einfo "Sending QUIT to old binary" + start-stop-daemon --signal SIGQUIT --pidfile "${pidfile}.oldbin" + + einfo "Upgrade completed" + eend $? "Upgrade failed" +} + +configtest() { + ebegin "Checking nginx' configuration" + ${command} -c "${NGINX_CONFIGFILE}" -t -q + + if [ $? -ne 0 ]; then + ${command} -c "${NGINX_CONFIGFILE}" -t + fi + + eend $? "failed, please correct errors above" +} |