Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-113229

"nginx -t" tries to bind against listening port, which may not always work and looks not correct to me anyway

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.10, rhel-9.6, rhel-10.0
    • nginx
    • None
    • No
    • Low
    • rhel-stacks-web-servers
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      As per nginx(8) manpage, the -t option is supposed to check the configuration but not run the service:

           -t             Do not run, just test the configuration file.  nginx checks the configuration file syntax and
                    then tries to open files referenced in the configuration file.

      It appears that this is not true: a bind() on port 80 (default configuration for nginx) is always performed, which looks non-sense to me, as seen in the strace below:

      # strace -fttTvyy -s 128 -e bind -- nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
12:47:39.041307 bind(6<TCP:[32488]>, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 <0.000081>
12:47:39.042162 bind(7<TCPv6:[32489]>, {sa_family=AF_INET6, sin6_port=htons(80), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::", &sin6_addr), sin6_scope_id=0}, 28) = 0 <0.000010>
nginx: configuration file /etc/nginx/nginx.conf test is successful
12:47:39.042902 +++ exited with 0 +++

      Last but not least, failing to bind leads to getting an error. Failing to bind will occur if the user executing the command is confined, even if he is root, e.g.:

      [sysadm@vm-rhel9 ~]$ id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

[sysadm@vm-rhel9 ~]$ sudo -i
[root@vm-rhel9 ~]# id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

[root@vm-rhel9 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed
[root@vm-rhel9 ~]# echo $?
1

      Note that the "Permission denied" above is expected because sysadm_t type is not designed to listen on ports.

      What is the impact of this issue to you?

      False-positive when testing the configuration

      Please provide the package NVR for which the bug is seen:

      All nginx releases

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Create a user mapped to sysadm_u 
        # useradd -Z sysadm_u -G wheel sysadm
# echo "redhat" | passwd --stdin sysadm
# semanage boolean -m ssh_sysadm_login --on
      2. Login as the user and gain root 
        # ssh sysadm@localhost
$ sudo -i
# id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
      3. Execute nginx -t command

      Expected results

      Configuration OK and retcode 0

      Actual results

      nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed

              luhliari@redhat.com Lubos Uhliarik
              rhn-support-rmetrich Renaud Métrich
              Lubos Uhliarik Lubos Uhliarik
              Iveta Kyralova Iveta Kyralova
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: