Bug? Chown of all default *_temp_path directories at startup?

Daniel Aubry obri at chaostreff.ch
Tue Oct 25 14:45:34 UTC 2016 

Hi all

I'm using nginx-full 1.10.2-1~dotdeb+8.1 from dotdeb.org on Debian.

nginx -V
nginx version: nginx/1.10.2
built with OpenSSL 1.0.1t  3 May 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector-strong
-Wformat -Werror=format-security -D_FORTIFY_SOURCE=2'
--with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx
--conf-path=/etc/nginx/nginx.conf
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log
--lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
--modules-path=/usr/lib/nginx/modules
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug
--with-pcre-jit --with-ipv6 --with-http_ssl_module
--with-http_stub_status_module --with-http_realip_module
--with-http_auth_request_module --with-http_v2_module
--with-http_dav_module --with-file-aio --with-threads
--with-http_addition_module --with-http_geoip_module=dynamic
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_image_filter_module=dynamic --with-http_secure_link_module
--with-http_sub_module --with-http_xslt_module=dynamic
--with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic
--with-mail_ssl_module
--add-dynamic-module=/usr/src/builddir/debian/modules/nginx-auth-pam
--add-module=/usr/src/builddir/debian/modules/nginx-dav-ext-module
--add-module=/usr/src/builddir/debian/modules/nginx-echo
--add-module=/usr/src/builddir/debian/modules/nginx-upstream-fair
--add-module=/usr/src/builddir/debian/modules/ngx_http_substitutions_filter_module
--add-module=/usr/src/builddir/debian/modules/nginx-cache-purge
--add-module=/usr/src/builddir/debian/modules/ngx_http_pinba_module
--add-module=/usr/src/builddir/debian/modules/nginx-x-rid-header
--with-ld-opt=-lossp-uuid

I do have several nginx inscances on one Server, they all run as a 
different users. 

There is one main nginx instance which runs as the user www-data.

*_temp_path is set to a different location for all nginx instances
excluding the main instance. The main www-data instance is still
using /var/lib/nginx.

Configuration example for custom temp dirs:
================================================================
fastcgi_temp_path /var/www/vhosts/XYZ/tmp/nginx/fcgi;
scgi_temp_path  /var/www/vhosts/XYZ/tmp/nginx/scgi;
uwsgi_temp_path /var/www/vhosts/XYZ/tmp/nginx/wsgi;
client_body_temp_path /var/www/vhosts/XYZ/tmp/nginx/body;
proxy_temp_path /var/www/vhosts/XYZ/tmp/nginx/proxy;
================================================================

Now, let's restart the main nginx. You can see that all 
files/directories in /var/lib/nginx are owned by www-data:www-data:
================================================================
root at xxxx-web-03:/var/log/nginx# systemctl restart nginx.service
root at xxxx-web-03:/var/log/nginx# ls -la /var/lib/nginx
total 28
drwxr-xr-x  7 www-data www-data 4096 Oct 25 15:45 .
drwxr-xr-x 43 root     root     4096 Oct  6 15:15 ..
drwx------  2 www-data www-data 4096 Oct 25 15:03 body
drwx------  2 www-data www-data 4096 Oct  6 14:43 fastcgi
drwx------  9 www-data www-data 4096 Oct 25 10:18 proxy
drwx------  2 www-data www-data 4096 Oct  6 14:43 scgi
drwx------  2 www-data www-data 4096 Oct  6 14:43 uwsgi
================================================================

After restarting nginx-XYZ.service, all files/directories are owned by XYZ:
================================================================
root at xxxx-web-03:/var/log/nginx# systemctl restart nginx-XYZ.service
root at xxxx-web-03:/var/log/nginx# ls -la /var/lib/nginx
total 28
drwxr-xr-x  7 www-data     www-data 4096 Oct 25 15:45 .
drwxr-xr-x 43 root         root     4096 Oct  6 15:15 ..
drwx------  2 XYZ www-data 4096 Oct 25 15:03 body
drwx------  2 XYZ www-data 4096 Oct  6 14:43 fastcgi
drwx------  9 XYZ www-data 4096 Oct 25 10:18 proxy
drwx------  2 XYZ www-data 4096 Oct  6 14:43 scgi
drwx------  2 XYZ www-data 4096 Oct  6 14:43 uwsgi
root at xxxx-web-03:/var/log/nginx#
================================================================

I can't find the string /var/lib/nginx in any nginx Configuration file on the system:
================================================================
root at xxxx-web-03:/var/log/nginx# grep -r "/var/lib/nginx" /etc/nginx-XYZ/
root at xxxx-web-03:/var/log/nginx# grep -r "/var/lib/nginx" /etc/nginx/
root at xxxx-web-03:/var/log/nginx# 
================================================================

I can set all *_temp_path directories of the www-data nginx to an other direcory,
this is my current workaround for this issue. But i believe that the nginx shouldn't
touch /var/lib/ngin/* if this directory isn't in the configuration file.

Any idea? Should i open a bug?

Best Regards
Daniel

More information about the nginx mailing list