Changing ownership of proxy_temp and other temp directories
Shreenidhi Shedi
sshedi at vmware.com
Fri Mar 17 04:42:53 UTC 2023
Hi,
Here you go.
root at ph3dev:~ # nginx -V
nginx version: nginx/1.22.0
built by gcc 7.3.0 (GCC)
built with OpenSSL 1.0.2zg-fips 7 Feb 2023 (running with OpenSSL 1.0.2zg 7 Feb 2023)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --add-module=njs-0.7.5/nginx --with-http_ssl_module --with-pcre --with-ipv6 --with-stream --with-http_auth_request_module --with-http_sub_module --with-http_stub_status_module --with-http_v2_module --user=nginx --group=nginx
root at ph3dev:~ # nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
--
Shedi
________________________________
From: Sergey A. Osokin <osa at freebsd.org.ru>
Sent: 17 March 2023 02:46
To: nginx at nginx.org <nginx at nginx.org>
Cc: Shreenidhi Shedi <sshedi at vmware.com>
Subject: Re: Changing ownership of proxy_temp and other temp directories
!! External Email
Hi,
On Thu, Mar 16, 2023 at 06:19:42PM +0000, Shreenidhi Shedi via nginx wrote:
>
> I have hosted a nginx server instance and the temp directories are created under /etc/nginx/
>
> $ ls -ld /etc/nginx/*_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/client_body_temp
[...]
>
> And I updated to a newer version of nginx which runs in "nginx" user
> context and after that these directory ownership is getting changed
> to nginx:root but the issue is, it happens only on these top
> directories and not directories within these temp directories.
>
> I did strace on the same to confirm my theory.
[strace is skipped]
It seems like previously nginx' worker process was running under
`nobody' user, so the directory structure has appropriate
permissions. The configuration setting was changed to `nginx'
user then, and when nginx main process started, it checked and
updated directories permissions according to the new settings.
> Now the issue is, why chown happens only on top directory and
> not recursively on all files and directories inside them?
Please take a look in the source code,
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhg.nginx.org%2Fnginx%2Ffile%2Ftip%2Fsrc%2Fcore%2Fngx_file.c%23l598&data=05%7C01%7Csshedi%40vmware.com%7Ccc1606f4494b48ed496308db2663c194%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C638145982140985501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BnlexAGf4iaOhxIl0GnCZOGUfufWlJyuefJOFP%2Bvb6I%3D&reserved=0
> Is this a bug or is it fixed in latest version of nginx?
I don't think there's a bug in that part of the code.
As a workaround for the transition content to a new user, it's
easy to run an one line script to update permissions of those
directories.
> I'm currently using nginx-1.22.0. Any help would be appreciated.
I'd recommend to upgrade to the recent version in stable
branch, 1.22.1.
Thank you.
--
Sergey A. Osokin
!! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230317/8c3943a4/attachment-0001.htm>
More information about the nginx
mailing list