[nginx] filedescriptor leak with audit_log rotation

[prune998]

Nginx support log-file rotation using the USR1 signal (kill -USR1 ).

first BUG :
This is not honored by mod_security and its audit log.

Using the HUP signal seems to partialy work.

second BUG :
After rotating (mv audit.log audit.log.old) the audit log file and doing a HUP kill on the process, I still see opened file for the old files :

lsof -p 694241 | grep audit| grep itcro
nginx   694241 root    7w   REG              252,0   128158   395227 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.1
nginx   694241 root    8w   REG              252,0   128158   395227 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.1
nginx   694241 root   11w   REG              252,0        0   408570 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.3
nginx   694241 root   12w   REG              252,0        0   408570 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.3
nginx   694241 root   32w   REG              252,0   128158   395227 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.1
nginx   694241 root   33w   REG              252,0   128158   395227 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.1
nginx   694241 root   36w   REG              252,0        0   408571 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.4
nginx   694241 root   38w   REG              252,0        0   408571 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.4
nginx   694241 root   41w   REG              252,0   128158   395227 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.1
nginx   694241 root   42w   REG              252,0   128158   395227 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.1
nginx   694241 root   47w   REG              252,0        0   408576 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.6
nginx   694241 root   48w   REG              252,0        0   408576 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.6
nginx   694241 root   51w   REG              252,0    10095   408297 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.test
nginx   694241 root   52w   REG              252,0    10095   408297 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.test
nginx   694241 root   56w   REG              252,0        0   408567 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.2
nginx   694241 root   57w   REG              252,0        0   408567 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.2
nginx   694241 root   61w   REG              252,0        0   408574 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.5
nginx   694241 root   62w   REG              252,0        0   408574 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.5
nginx   694241 root   66w   REG              252,0        0   408578 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.7
nginx   694241 root   67w   REG              252,0        0   408578 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.7
nginx   694241 root   71w   REG              252,0        0   408581 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.8
nginx   694241 root   72w   REG              252,0        0   408581 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log.8
nginx   694241 root   76w   REG              252,0        0   408583 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log
nginx   694241 root   77w   REG              252,0        0   408583 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log
nginx   694241 root   81w   REG              252,0        0   408583 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log
nginx   694241 root   82w   REG              252,0        0   408583 /opt/data/nginx/logs/front.itcrowd.uat.xx.yy.audit.log

This will lead to filedescriptor ressource exhaust...

[ikrauchanka]

seems I got the same, please see my post http://unix.stackexchange.com/questions/195086/why-nginx-holds-file-descriptions-of-logs

[zimmerle]

Won't fix in 2.x and fixed in libmodsecurity

Further information available here - https://github.com/SpiderLabs/ModSecurity-nginx