From 0b5a896201729695a64278faabd3f9ea823fd1b6 Mon Sep 17 00:00:00 2001
From: Jamie Nguyen <j@jamielinux.com>
Date: Fri, 22 Feb 2013 06:39:33 +0000
Subject: [PATCH] Make sure nginx directories are not world readable (#913724,
 #913735)

---
 nginx.spec | 22 ++++++++++++++++------
 sources    |  1 -
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/nginx.spec b/nginx.spec
index e866eeb..afb0e52 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -11,7 +11,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.2.7
-Release:           1%{?dist}
+Release:           2%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 Group:             System Environment/Daemons
@@ -129,8 +129,9 @@ install -p -D -m 0644 %{SOURCE11} \
     %{buildroot}%{_sysconfdir}/logrotate.d/nginx
 
 install -p -d -m 0755 %{buildroot}%{nginx_confdir}/conf.d
-install -p -d -m 0755 %{buildroot}%{nginx_home_tmp}
-install -p -d -m 0755 %{buildroot}%{nginx_logdir}
+install -p -d -m 0700 %{buildroot}%{nginx_home}
+install -p -d -m 0700 %{buildroot}%{nginx_home_tmp}
+install -p -d -m 0700 %{buildroot}%{nginx_logdir}
 install -p -d -m 0755 %{buildroot}%{nginx_webroot}
 
 install -p -m 0644 %{SOURCE12} \
@@ -160,6 +161,12 @@ fi
 
 %post
 %systemd_post nginx.service
+if [ $1 -eq 2 ]; then
+    # Make sure these directories are not world readable.
+    chmod 700 %{nginx_home}
+    chmod 700 %{nginx_home_tmp}
+    chmod 700 %{nginx_logdir}
+fi
 
 %preun
 %systemd_preun nginx.service
@@ -178,7 +185,6 @@ fi
 %{_unitdir}/nginx.service
 %dir %{nginx_confdir}
 %dir %{nginx_confdir}/conf.d
-%dir %{nginx_logdir}
 %config(noreplace) %{nginx_confdir}/fastcgi.conf
 %config(noreplace) %{nginx_confdir}/fastcgi.conf.default
 %config(noreplace) %{nginx_confdir}/fastcgi_params
@@ -198,11 +204,15 @@ fi
 %dir %{perl_vendorarch}/auto/nginx
 %{perl_vendorarch}/nginx.pm
 %{perl_vendorarch}/auto/nginx/nginx.so
-%attr(-,%{nginx_user},%{nginx_group}) %dir %{nginx_home}
-%attr(-,%{nginx_user},%{nginx_group}) %dir %{nginx_home_tmp}
+%attr(700,%{nginx_user},%{nginx_group}) %dir %{nginx_home}
+%attr(700,%{nginx_user},%{nginx_group}) %dir %{nginx_home_tmp}
+%attr(700,%{nginx_user},%{nginx_group}) %dir %{nginx_logdir}
 
 
 %changelog
+* Fri Feb 22 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.7-2
+- make sure nginx directories are not world readable (#913724, #913735)
+
 * Sat Feb 16 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.2.7-1
 - update to upstream release 1.2.7
 - add .asc file
diff --git a/sources b/sources
index ed0f63e..8f2f540 100644
--- a/sources
+++ b/sources
@@ -1,2 +1 @@
 d252f5c689a14a668e241c744ccf5f06  nginx-1.2.7.tar.gz
-ad82b6bc2d437995b9cc474d97441c9d  nginx-1.2.7.tar.gz.asc