Nginx does not re-open log files on SIGUSR1.

Gena Makhomed gmm at csdoc.com
Mon Jan 3 16:16:00 MSK 2011


On 03.01.2011 14:49, Piotr Karbowski wrote:

> I was able to 'fix' it, which is more like workaround than a real fix,
> by adding permissions for nginx user to /var/log/nginx.
>
> Before I had 700 root:root on /var/log/nginx because I am a little
> paranoid and I saw no real reason to add workers there since master
> process, running as root, is writting there.
>
> After changing owner to nginx, nginx is able re-open logs after SIGUSR1.

master process running as root open/write files in /var/log/nginx
- if nginx user have write permissions to this directory,
700 nginx:nginx - such setup is vulnerable by symlink attack

better approach set permissions 750 root:nginx /var/log/nginx

or 750 root:www-logs /var/log/nginx and add user nginx to group www-logs

> Looks like rotated empty logs have root:root 600 perms, maybe it is the
> problem?

show your logrotate config for nginx log files.

> But again, I think master write there, not workers.

nginx workers also write to log files.

-- 
Best regards,
  Gena



More information about the nginx mailing list