[CentOS] Permissions on nginx logs

Tue May 7 00:57:07 UTC 2019
Warren Young <warren at etr-usa.com>

On May 6, 2019, at 10:14 AM, Bee.Lists <bee.lists at gmail.com> wrote:
> I will give 770 a try.

Try 750 first.  You don’t need write access to do what you’re asking.

Also, the group membership change won’t take effect until you log out and back in.

>  Nobody going to flip now that a single “7” has been posted?

There is a clear analogue to herd immunity here:


When sysadmins of Internet-attached hosts do things to make those hosts less secure, that makes them easier to take over, which means the botnets and stolen databases get bigger, which puts the rest of us on the Internet at greater risk.

So yeah, I think the rest of us do have some say in how you manage your systems’ security.  Not total, of course, but you should not dismiss good advice as “flipping.”

In this particular case, the risk is that there is some credential or other sensitive info logged by nginx which is now easier for an attacker to get at.  Those logs are hidden away for that reason and more.

How big that risk is only you can say at this point.  If you’ve got a purely static web site, for instance, there’s probably nothing important in that log, but if it’s acting as a reverse proxy for a back-end service, nginx might be logging passwords and such.