Welcome! Log In Create A New Profile

Re: File Upload Permissions Issues

Forum List Message List New Topic Print View

Maxim Dounin

June 26, 2018 10:54PM

Hello!

On Tue, Jun 26, 2018 at 04:56:55PM -0400, VP Lists wrote:

> I’m having a problem uploading any files of any significant size to a test site on my workstation.
>
> 2018/06/26 16:50:20 [crit] 36196#0: *1099 open() "/usr/local/var/run/nginx/client_body_temp/0000000018" failed (13: Permission denied), client: 127.0.0.1, server: pass1.local, request: "POST /upload HTTP/1.1", host: "pass1.local:8080", referrer: "http://pass1.local:8080/upload"

The error message speaks for itself: nginx has no permissions to
write temporary files to the directory it was configured to write
temporary files to. You have to fix this.

[...]

> My nginx.conf has no set ‘user’

This means that nginx will use the default user for worker
processes as long as it is started as root. Usually this is
nobody:nogroup, or whatever is set via configure arguments (see
"nginx -V").

> and here are the permissions set on the temp file upload folder for nginx:
>
> $ ll /usr/local/var/run/nginx/
> drwxr-xr-x 7 rich admin 238B Dec 8 2016 .
> drwxr-xr-x 4 rich admin 136B Jun 19 15:19 ..
> drwx------ 2 nobody admin 68B Dec 8 2016 client_body_temp

You have to check all path compontents. That is, check that nginx
has at least "x" on "/", "/usr", "/usr/local", "/usr/local/var",
"/usr/local/var/run".

Additionally, if you have SELinux or equivalent enabled, you
should check it as well.

> I have 4 workers owned by nobody:admin, and nginx is run as
> default, as root:admin.
>
> Now this topic of permissions and “what user should run nginx”
> has come up before. Some say run as root, others say not. It’s
> my workstation, so it doesn’t really matter. It’s my dev box.
> The issue comes down to production.
>
> Is there one way all of this should be run without the worried
> security devs out there from losing it? Since I’m here at
> another security issue with who runs what, maybe it’s a good
> time to get a consensus on how all this should be set up.

You should never run nginx worker processes as root unless you
understand what you are doing and possible consequences.

On the other hand, nginx master process can't do many required
things - like binding to port 80 - without being root. As such,
you have to run nginx itself (that is, nginx master process) as
root.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
File Upload Permissions Issues	VP Lists	June 26, 2018 04:58PM
Re: File Upload Permissions Issues	Maxim Dounin	June 26, 2018 10:54PM
Re: File Upload Permissions Issues	VP Lists	June 27, 2018 12:58AM
Re: File Upload Permissions Issues	Maxim Dounin	June 27, 2018 02:04AM
Re: File Upload Permissions Issues	VP Lists	June 27, 2018 09:44AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 159

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018