nginx log uid/gid

Lubos Uhliarik luhliari at redhat.com
Wed May 9 15:00:54 UTC 2018


Hello nginx devel list,

I'm experiencing following situation. When nginx is started, it creates logs in its log directory with following permissions:

# ls -la /var/log/nginx
total 12
drwxrwx---. 2 nginx root 4096 May  9 09:59 .
drwxr-xr-x. 9 root  root 4096 May  9 07:01 ..
-rw-r--r--. 1 root  root    0 May  9 09:59 access.log
-rw-r--r--. 1 root  root  374 May  9 09:59 error.log

But when I send USR1 signal to nginx master process (for log rotation), it creates files with different owner (user specified
in nginx configuration - in this case "nginx" user).

# rm /var/log/nginx/*.log
# systemctl kill --signal=USR1 nginx
# ls -la /var/log/nginx
total 8
drwxrwx---. 2 nginx root 4096 May  9 10:02 .
drwxr-xr-x. 9 root  root 4096 May  9 07:01 ..
-rw-r--r--. 1 nginx root    0 May  9 10:02 access.log
-rw-r--r--. 1 nginx root    0 May  9 10:02 error.log

Is this behavior desired? I guess so, since in /src/os/unix/ngx_process_cycle.c is:

if (ngx_reopen) {
    ngx_reopen = 0;
    ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reopening logs");
    ngx_reopen_files(cycle, ccf->user);
    ngx_signal_worker_processes(cycle,
                                ngx_signal_value(NGX_REOPEN_SIGNAL));
}

ngx_reopen_files function call has second param set (ccf->user), which is in all other
cases -1. Why do you change owner only after processing USR1 signal? This causes problem,
when nginx is restarted:

# systemctl restart nginx
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.

# systemctl status nginx.service
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2018-05-09 10:12:21 EDT; 5s ago
  Process: 1805 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 1817 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
  Process: 1816 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 1806 (code=exited, status=0/SUCCESS)

May 09 10:12:21 host-172-16-36-25 systemd[1]: Starting The nginx HTTP and reverse proxy server...
May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
May 09 10:12:21 host-172-16-36-25 nginx[1817]: 2018/05/09 10:12:21 [warn] 1817#0: could not build optimal types_hash, you should increase either types_hash_max_size: 2048 o>
May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
May 09 10:12:21 host-172-16-36-25 nginx[1817]: 2018/05/09 10:12:21 [emerg] 1817#0: open() "/var/log/nginx/error.log" failed (13: Permission denied)
May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: configuration file /etc/nginx/nginx.conf test failed
May 09 10:12:21 host-172-16-36-25 systemd[1]: nginx.service: Control process exited, code=exited status=1
May 09 10:12:21 host-172-16-36-25 systemd[1]: nginx.service: Failed with result 'exit-code'.
May 09 10:12:21 host-172-16-36-25 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.

This is a problem with SELinux (dac_override). Since master process runs as root, /var/log/nginx has ownership nginx:root,
permissions 770 and NGX_FILE_DEFAULT_ACCESS is 644 for newly created logs.

One possible solution is to set different permission mode for newly created logs (664 with nginx:root ownership) or do not set
owner of log files to nginx user (which had probably some reason in past because of extra param in ngx_reopen_files).

Thank you for your help or advice!

Best,

--
Lubos Uhliarik
Software Engineer - EMEA ENG Developer Experience
RH - Brno - TPB-C - 1D221
IRC: zero_byte at irc.freenode.net

RED HAT | TRIED. TESTED. TRUSTED.
Every airline in the Fortune 500 relies on Red Hat.
Find out why at http://www.redhat.com/en/about/trusted

Red Hat Inc. http://cz.redhat.com


More information about the nginx-devel mailing list