This was fixed in Ubuntu in October: https://www.ubuntu.com/usn/usn-3114-1/

well I guess for a webserver gaining any privileges is already bad. of course privilege escalation is bad, especially on client machine's, but on servers? well if you are an attacker from the outside and already have a shell your security is done anyway.

of course as said that won't apply to shared hosting (with shell) and client machines.

I just looked at my current Debian Jessie system and it is not as described. That is /var/log/nginx is not owned by www-data, it is owned by root. It was freshly installed not to long ago and was only configured with my ansible setup. So I'm pretty sure that was the default.

I think I know why... it was fixed a few weeks ago.

https://www.debian.org/security/2016/dsa-3701

An LSM such as SELinux, Tomoyo or AppArmor could mitigate this.

I was just researching these a little while ago and hadn't heard of Tomoyo. Turns out it is included in the mainline kernel and is pretty simple to use.

http://tomoyo.osdn.jp/

On debian you just need to enable it via a kernel param and install tomoyo-tools to get going.

I like Tomoyo better than any of the others. I find it the easiest to configure and reason about.

Well um, this is disturbing. Fun times!