File Upload Permissions Issues

VP Lists lists at viaduct-productions.com
Wed Jun 27 04:56:09 UTC 2018 

> On Jun 26, 2018, at 10:51 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> Hello!

Hello there.  Thanks for the reply.  

> On Tue, Jun 26, 2018 at 04:56:55PM -0400, VP Lists wrote:
> 
>> I’m having a problem uploading any files of any significant size to a test site on my workstation.
>> 
>> 2018/06/26 16:50:20 [crit] 36196#0: *1099 open() "/usr/local/var/run/nginx/client_body_temp/0000000018" failed (13: Permission denied), client: 127.0.0.1, server: pass1.local, request: "POST /upload HTTP/1.1", host: "pass1.local:8080", referrer: "http://pass1.local:8080/upload"
> 
> The error message speaks for itself: nginx has no permissions to 
> write temporary files to the directory it was configured to write 
> temporary files to.  You have to fix this.
> 
> [...]
> 
>> My nginx.conf has no set ‘user’
> 
> This means that nginx will use the default user for worker 
> processes as long as it is started as root.  Usually this is 
> nobody:nogroup, or whatever is set via configure arguments (see 
> "nginx -V”).

That command didn’t lend itself to anything.  No user mentioned anywhere in that result.  It’s running as root, with the workers being run as nobody.  

>> and here are the permissions set on the temp file upload folder for nginx:
>> 
>> $ ll /usr/local/var/run/nginx/
>> drwxr-xr-x  7 rich    admin   238B Dec  8  2016 .
>> drwxr-xr-x  4 rich    admin   136B Jun 19 15:19 ..
>> drwx------  2 nobody  admin    68B Dec  8  2016 client_body_temp
> 
> You have to check all path compontents.  That is, check that nginx 
> has at least "x" on "/", "/usr", "/usr/local", "/usr/local/var", 
> "/usr/local/var/run”.

OK, here’s where things get interesting:

On MacOS El Capitan:  --http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp
/usr						drwxr-xr-x@   13 root  wheel   442B May 26  2017 usr	
/usr/local					drwxr-xr-x    28 rich  admin   952B Mar 30 16:12 local
/usr/local/var					drwx------    36 rich  admin   1.2K May  7 21:01 var
/usr/local/var/run				drwxr-xr-x     4 rich  admin   136B Jun 19 15:19 run
/usr/local/var/run/nginx			drwxr-xr-x     7 rich  admin   238B Dec  8  2016 nginx
/usr/local/var/run/nginx/client_body_temp	drwx------     2 nobody  admin  68B Dec  8  2016 client_body_temp


On FreeBSD 11.1-RELEASE:  --http-client-body-temp-path=/var/tmp/nginx/client_body_temp
/var					drwxr-xr-x  25 root  wheel    25 May  7  08:48 var
/var/tmp				drwxrwxrwt   4 root  wheel     4 Jul  7  2017 tmp
/var/tmp/nginx				drwxr-xr-x   7 root  wheel     7 Jul 13  2017 nginx
/var/tmp/nginx/client_body_temp		drwx------   2 www   wheel     2 Jul  7  2017 client_body_temp

On two different boxes, two different OSes, showing variable eXecution permissions within the path.  Not only that, but in both instances, the client_body_temp permissions show “drwx- - - - - -“, and for two different owner:group combinations.  

Why would nginx allow this to happen?  Is it not thinkable that either nginx would state that a clear path to the directory responsible for receiving file uploads be permitted?  Or maybe the maintainers receiving this as a criteria for installation?  I find this quite odd.  

Running around patching up path permissions to installed directories, specific to nginx, is truly strange.  

> Additionally, if you have SELinux or equivalent enabled, you 
> should check it as well.
> 
>> I have 4 workers owned by nobody:admin, and nginx is run as 
>> default, as root:admin.
>> 
>> Now this topic of permissions and “what user should run nginx” 
>> has come up before.  Some say run as root, others say not.  It’s 
>> my workstation, so it doesn’t really matter.  It’s my dev box.  
>> The issue comes down to production.  
>> 
>> Is there one way all of this should be run without the worried 
>> security devs out there from losing it?  Since I’m here at 
>> another security issue with who runs what, maybe it’s a good 
>> time to get a consensus on how all this should be set up.  
> 
> You should never run nginx worker processes as root unless you 
> understand what you are doing and possible consequences.

I don’t.  I don’t even set nginx master to run as root, but it does.  nginx.conf:

# user 		root admin;			# commented out

> On the other hand, nginx master process can't do many required 
> things - like binding to port 80 - without being root.  As such, 
> you have to run nginx itself (that is, nginx master process) as 
> root.

This last paragraph has people doing backflips to interject.  OSX has chosen to run as root, and I’m running vhosts on port 80.  FreeBSD also has master user commented out as ‘root’, but working on port 8080.  I doubt I asked it to work on port 80 so far, given the setup I have.  

In any case, I fixed it.  /usr/local/var was a bit closed up.  Not friendly.

Cheers


_____________
Rich in Toronto @ VP

More information about the nginx mailing list