Weird privilege errors on Ubuntu 20.04

hgv nginx-forum at forum.nginx.org
Wed Jun 9 15:46:32 UTC 2021


/etc/systemd/system/nginx.service.d/override.conf and
/usr/lib/systemd/system/nginx.service don't exist

/etc/nginx/nginx.conf below

user www-data;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 16384;
events {
        worker_connections 1024;
        use epoll;
        multi_accept on;
}
http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        server_tokens off;
        types_hash_max_size 2048;
        fastcgi_read_timeout 1800;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        server_names_hash_bucket_size 128;
        index index.php index.html index.htm;
        log_format  main_ext
                '$remote_addr - $remote_user [$time_local] "$request" '
                '$status $body_bytes_sent "$http_referer" '
                '"$http_user_agent" "$http_x_forwarded_for" '
                '"$host" sn="$server_name" '
                'rt=$request_time '
                'ua="$upstream_addr" us="$upstream_status" '
                'ut="$upstream_response_time" ul="$upstream_response_length"
'
                'cs=$upstream_cache_status' ;
        access_log /var/log/nginx/access.log main_ext;
        error_log /var/log/nginx/error.log warn;
        gzip on;
        gzip_disable "MSIE [1-6]\.";
        gzip_vary on;
        gzip_comp_level 4;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 200;
        gzip_buffers 16 8k;
        gzip_http_version 1.0;
        gzip_proxied expired no-cache no-store private auth;
        gzip_types
                text/css
                text/plain
                text/javascript
                application/javascript
                application/x-javascript
                application/json
                application/xml
                application/xml+rss
                application/xhtml+xml
                application/x-font-ttf
                application/x-font-opentype
                application/vnd.ms-fontobject
                image/svg+xml
                image/x-icon
                application/rss+xml
                application/atom_xml;
        open_file_cache max=1000 inactive=20s;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors on;
        fastcgi_cache_path /var/lib/nginx/fastcgi/keventajat-fi levels=1:2
keys_zone=keventajat-fi:10m inactive=24h max_size=372m use_temp_path=off;
        fastcgi_cache_key "$scheme$request_method$host$request_uri";
        fastcgi_cache_use_stale error timeout invalid_header http_500;
        fastcgi_cache_valid 200 301 302 24h;
        fastcgi_cache_valid 404 1m;
        fastcgi_ignore_headers Cache-Control Expires Set-Cookie Vary;
        fastcgi_cache_background_update on;
        fastcgi_cache_revalidate on;
        limit_req_zone $binary_remote_addr zone=wplogin:5m rate=1r/s;
        limit_req_zone $binary_remote_addr zone=magsearch:5m rate=15r/m;
        send_timeout 60s;
        client_max_body_size 64m;
        client_body_timeout 60s;
        client_body_buffer_size 128K;
        client_header_timeout 30s;
        client_header_buffer_size 1k;
        keepalive_timeout 15s;
        keepalive_requests 100000;
        proxy_connect_timeout 30;
        proxy_send_timeout 300;
        proxy_read_timeout 300;
        resolver 127.0.0.53 valid=30s;
        resolver_timeout 10s;
        upstream php56 {
        server unix:/run/php/php5.6-fpm.sock max_fails=20 fail_timeout=60;
        }
        upstream php74 {
        server unix:/run/php/php7.4-fpm.sock max_fails=20 fail_timeout=60;
        }
        upstream graphql {
        server 127.0.0.1:3000;
        }
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 120m;
        ssl_session_tickets on;
        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_ciphers !aNULL:!eNULL:FIPS at STRENGTH;
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*.conf;
        map $uri $no_slash_uri {
                ~^/(?<no_slash>.*)$ $no_slash;
        }
}



Sergey A. Osokin Wrote:
-------------------------------------------------------
> Looks good to me.
> 
> I'd like to request more files: 
> - /etc/systemd/system/nginx.service.d/override.conf
> - /usr/lib/systemd/system/nginx.service
> - /etc/nginx/nginx.conf
> 
> Thanks.
> 
> On Tue, Jun 08, 2021 at 06:02:29PM -0400, hgv wrote:
> > Yes, certainly.
> > 
> > drwxr-xr-x root root /etc
> > drwxr-xr-x root root /etc/ssl
> > drwxr-x--- root ssl-cert /etc/ssl/private
> > 
> > 
> > Sergey A. Osokin Wrote:
> > -------------------------------------------------------
> > > Hi,
> > > 
> > > Could you check and show permissions on /etc/ssl/private,
> /etc/ssl,
> > > and /etc directories.
> > > 
> > > Thanks.
> > > 
> > > -- 
> > > Sergey
> > > 
> > > On Tue, Jun 08, 2021 at 03:57:59PM -0400, hgv wrote:
> > > > Hi Sergey,
> > > > 
> > > > Adding www-data user to ssl-cert group doesn't help.
> > > > 
> > > > root at k2# usermod -a -G ssl-cert www-data
> > > > 
> > > > root at k2# getent group ssl-cert
> > > > ssl-cert:x:112:postgres,www-data
> > > > 
> > > > 
> > > > Sergey A. Osokin Wrote:
> > > > -------------------------------------------------------
> > > > > Hi there,
> > > > > 
> > > > > hope you're doing well.
> > > > > 
> > > > > On Tue, Jun 08, 2021 at 11:46:32AM -0700, Palvelin Postmaster
> > > wrote:
> > > > > > I wonder what can cause these weird error log entries? The
> log
> > > > > entries indicate a PID which doesn’t exist. Does nginx launch
> some
> > > > > temporary process when it starts?
> > > > > > 
> > > > > > Nginx 1.21.0 on Ubuntu 20.04.
> > > > > > 
> > > > > > root at k2:~# systemctl restart nginx
> > > > > > 
> > > > > > root at k2:~# tail /var/log/nginx/error.log
> > > > > > 2021/06/08 21:25:32 [warn] 1287733#1287733: the "user"
> directive
> > > > > makes sense only if the master process runs with super-user
> > > > > privileges, ignored in /etc/nginx/nginx.conf:21
> > > > > > 2021/06/08 21:25:32 [emerg] 1287733#1287733: cannot load
> > > certificate
> > > > > key "/etc/ssl/private/nginx-selfsigned.key": BIO_new_file()
> failed
> > > > > (SSL: error:0200100D:system library:fopen:Permission
> > > > > denied:fopen('/etc/ssl/private/nginx-selfsigned.key','r')
> > > > > error:2006D002:BIO routines:BIO_new_file:system lib)
> > > > > 
> > > > > Seems like an attempt to start nginx without root privileges.
> > > > > 
> > > > > > root at k2:~# ls -lh /etc/ssl/private/ |grep selfsigned
> > > > > > -rw-r----- 1 root ssl-cert 1.7K Jul  8 17:12
> > > nginx-selfsigned.key
> > > > > > 
> > > > > > root at k2:~# cat /etc/nginx/nginx.conf |grep ^user
> > > > > > user www-data;
> > > > > > 
> > > > > > root at k2:~# ps -auxw |grep nginx
> > > > > > root     1287600  0.0  0.0  56148  6504 ?        Ss   21:25 
> 
> > > 0:00
> > > > > nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
> > > > > > www-data 1287601  0.7  0.1  58544 15652 ?        S    21:25 
> 
> > > 0:05
> > > > > nginx: worker process
> > > > > > www-data 1287602  0.0  0.1  57556 13696 ?        S    21:25 
> 
> > > 0:00
> > > > > nginx: worker process
> > > > > > www-data 1287603  0.0  0.1  56392  9184 ?        S    21:25 
> 
> > > 0:00
> > > > > nginx: cache manager process
> > > > > 
> > > > > Could you check `www-data' user permission, and add, if
> necessary,
> > > to
> > > > > the `ssl-cert' group.
> > > > > 
> > > > > -- 
> > > > > Sergey Osokin
> > > > > _______________________________________________
> > > > > nginx mailing list
> > > > > nginx at nginx.org
> > > > > http://mailman.nginx.org/mailman/listinfo/nginx
> > > > 
> > > > Posted at Nginx Forum:
> > > https://forum.nginx.org/read.php?2,291799,291801#msg-291801
> > > > 
> > > > _______________________________________________
> > > > nginx mailing list
> > > > nginx at nginx.org
> > > > http://mailman.nginx.org/mailman/listinfo/nginx
> > > _______________________________________________
> > > nginx mailing list
> > > nginx at nginx.org
> > > http://mailman.nginx.org/mailman/listinfo/nginx
> > 
> > Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,291799,291803#msg-291803
> > 
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291812#msg-291812



More information about the nginx mailing list