nginx log uid/gid

Maxim Dounin mdounin at mdounin.ru
Thu May 10 12:19:12 UTC 2018 

Hello!

On Wed, May 09, 2018 at 11:00:54AM -0400, Lubos Uhliarik wrote:

> Hello nginx devel list,
> 
> I'm experiencing following situation. When nginx is started, it creates logs in its log directory with following permissions:
> 
> # ls -la /var/log/nginx
> total 12
> drwxrwx---. 2 nginx root 4096 May  9 09:59 .
> drwxr-xr-x. 9 root  root 4096 May  9 07:01 ..
> -rw-r--r--. 1 root  root    0 May  9 09:59 access.log
> -rw-r--r--. 1 root  root  374 May  9 09:59 error.log
> 
> But when I send USR1 signal to nginx master process (for log rotation), it creates files with different owner (user specified
> in nginx configuration - in this case "nginx" user).
> 
> # rm /var/log/nginx/*.log
> # systemctl kill --signal=USR1 nginx
> # ls -la /var/log/nginx
> total 8
> drwxrwx---. 2 nginx root 4096 May  9 10:02 .
> drwxr-xr-x. 9 root  root 4096 May  9 07:01 ..
> -rw-r--r--. 1 nginx root    0 May  9 10:02 access.log
> -rw-r--r--. 1 nginx root    0 May  9 10:02 error.log
> 
> Is this behavior desired? I guess so, since in /src/os/unix/ngx_process_cycle.c is:
> 
> if (ngx_reopen) {
>     ngx_reopen = 0;
>     ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reopening logs");
>     ngx_reopen_files(cycle, ccf->user);
>     ngx_signal_worker_processes(cycle,
>                                 ngx_signal_value(NGX_REOPEN_SIGNAL));
> }
> 
> ngx_reopen_files function call has second param set (ccf->user), which is in all other
> cases -1. Why do you change owner only after processing USR1 signal? This causes problem,
> when nginx is restarted:

After the USR1 signal nginx have to ensure that already running 
worker processess will be able to open new log files for writing.  
To do so, it ensures that files are owned by the nginx user, and 
have at least 0600 access mode.

(Note well that by using nginx:root on /var/log/nginx you are 
allowing privilage escalation similar to one previously seen in 
Debian packages, see CVE-2016-1247.)

> # systemctl restart nginx
> Job for nginx.service failed because the control process exited with error code.
> See "systemctl status nginx.service" and "journalctl -xe" for details.
> 
> # systemctl status nginx.service
> ● nginx.service - The nginx HTTP and reverse proxy server
>    Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
>    Active: failed (Result: exit-code) since Wed 2018-05-09 10:12:21 EDT; 5s ago
>   Process: 1805 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
>   Process: 1817 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
>   Process: 1816 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
>  Main PID: 1806 (code=exited, status=0/SUCCESS)
> 
> May 09 10:12:21 host-172-16-36-25 systemd[1]: Starting The nginx HTTP and reverse proxy server...
> May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
> May 09 10:12:21 host-172-16-36-25 nginx[1817]: 2018/05/09 10:12:21 [warn] 1817#0: could not build optimal types_hash, you should increase either types_hash_max_size: 2048 o>
> May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
> May 09 10:12:21 host-172-16-36-25 nginx[1817]: 2018/05/09 10:12:21 [emerg] 1817#0: open() "/var/log/nginx/error.log" failed (13: Permission denied)
> May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: configuration file /etc/nginx/nginx.conf test failed
> May 09 10:12:21 host-172-16-36-25 systemd[1]: nginx.service: Control process exited, code=exited status=1
> May 09 10:12:21 host-172-16-36-25 systemd[1]: nginx.service: Failed with result 'exit-code'.
> May 09 10:12:21 host-172-16-36-25 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
> 
> This is a problem with SELinux (dac_override). Since master process runs as root, /var/log/nginx has ownership nginx:root,
> permissions 770 and NGX_FILE_DEFAULT_ACCESS is 644 for newly created logs.
> 
> One possible solution is to set different permission mode for newly created logs (664 with nginx:root ownership) or do not set
> owner of log files to nginx user (which had probably some reason in past because of extra param in ngx_reopen_files).

If needed in a particular setup, log files can be pre-created with 
desired permissions before instructing nginx to reopen them via 
USR1.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list