Hello nginx devel list,
I'm experiencing following situation. When nginx is started, it creates logs in its log directory with following permissions:
# ls -la /var/log/nginx
total 12
drwxrwx---. 2 nginx root 4096 May 9 09:59 .
drwxr-xr-x. 9 root root 4096 May 9 07:01 ..
-rw-r--r--. 1 root root 0 May 9 09:59 access.log
-rw-r--r--. 1 root root 374 May 9 09:59 error.log
But when I send USR1 signal to nginx master process (for log rotation), it creates files with different owner (user specified
in nginx configuration - in this case "nginx" user).
# rm /var/log/nginx/*.log
# systemctl kill --signal=USR1 nginx
# ls -la /var/log/nginx
total 8
drwxrwx---. 2 nginx root 4096 May 9 10:02 .
drwxr-xr-x. 9 root root 4096 May 9 07:01 ..
-rw-r--r--. 1 nginx root 0 May 9 10:02 access.log
-rw-r--r--. 1 nginx root 0 May 9 10:02 error.log
Is this behavior desired? I guess so, since in /src/os/unix/ngx_process_cycle.c is:
if (ngx_reopen) {
ngx_reopen = 0;
ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reopening logs");
ngx_reopen_files(cycle, ccf->user);
ngx_signal_worker_processes(cycle,
ngx_signal_value(NGX_REOPEN_SIGNAL));
}
ngx_reopen_files function call has second param set (ccf->user), which is in all other
cases -1. Why do you change owner only after processing USR1 signal? This causes problem,
when nginx is restarted:
# systemctl restart nginx
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
# systemctl status nginx.service
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2018-05-09 10:12:21 EDT; 5s ago
Process: 1805 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 1817 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
Process: 1816 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
Main PID: 1806 (code=exited, status=0/SUCCESS)
May 09 10:12:21 host-172-16-36-25 systemd[1]: Starting The nginx HTTP and reverse proxy server...
May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
May 09 10:12:21 host-172-16-36-25 nginx[1817]: 2018/05/09 10:12:21 [warn] 1817#0: could not build optimal types_hash, you should increase either types_hash_max_size: 2048 o>
May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
May 09 10:12:21 host-172-16-36-25 nginx[1817]: 2018/05/09 10:12:21 [emerg] 1817#0: open() "/var/log/nginx/error.log" failed (13: Permission denied)
May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: configuration file /etc/nginx/nginx.conf test failed
May 09 10:12:21 host-172-16-36-25 systemd[1]: nginx.service: Control process exited, code=exited status=1
May 09 10:12:21 host-172-16-36-25 systemd[1]: nginx.service: Failed with result 'exit-code'.
May 09 10:12:21 host-172-16-36-25 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
This is a problem with SELinux (dac_override). Since master process runs as root, /var/log/nginx has ownership nginx:root,
permissions 770 and NGX_FILE_DEFAULT_ACCESS is 644 for newly created logs.
One possible solution is to set different permission mode for newly created logs (664 with nginx:root ownership) or do not set
owner of log files to nginx user (which had probably some reason in past because of extra param in ngx_reopen_files).
Thank you for your help or advice!
Best,
--
Lubos Uhliarik
Software Engineer - EMEA ENG Developer Experience
RH - Brno - TPB-C - 1D221
IRC: zero_byte at irc.freenode.net
RED HAT | TRIED. TESTED. TRUSTED.
Every airline in the Fortune 500 relies on Red Hat.
Find out why at http://www.redhat.com/en/about/trusted
Red Hat Inc. http://cz.redhat.com
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
