nginx Permissions Clarification

daBee · Apr 30, 2018

Hi folks.

My workstation is a Mac (El Capitan), and I have a FreeBSD box on version 11.1 Release, running nginx on both. Both have the user commented out, yet I continue to get errors on the following commands on the FreeBSD box:

Code:

$ nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
$ nginx -s reload
nginx: [alert] kill(639, 1) failed (1: Operation not permitted)

nginx.pid is owned by root/wheel.

So I'm confused again, as I have been in the past. The maintainer for nginx did not reply to me on this. I submitted it personally, never got an answer. I think this is important as it's a root / user permissions issue on a major app. I'm thinking I'm missing something, and it's just me. But I'm still confused. I have no errors on my Mac workstation.

Can someone please shed some light on where I'm going wrong? Any insight appreciated.

Cheers

SirDice · Apr 30, 2018

Remove the PID file and remove the pid = line from nginx.conf.

daBee · Apr 30, 2018

pid file already commented out. Removing it did nothing. Then I tried the following:

Code:

[Mon Apr 30 11:53:29 adminuser@serverbox /var/run] nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
[Mon Apr 30 11:53:41 adminuser@serverbox /var/run] sudo nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

SirDice · Apr 30, 2018

Use service nginx start to start it. Note that the rc(8) script checks the config before starting the server. If you just want to check the config, use service nginx configtest

daBee · Apr 30, 2018

Oh it's running. It's always been running. That's not the issue. These errors are the issue. It's serving fine. /var/run/nginx.pid has been recreated, and serving fine. The admin commands provided, just keep giving me errors and I want to finally get a green light before moving on.

Sorry...furthermore...

Code:

[Mon Apr 30 12:01:07 adminuser@serverbox /var/run] service nginx configtest
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed

edit, FYI, while the service is indeed running:

Code:

[Mon Apr 30 12:06:59 adminuser@serverbox /var/run] service nginx reload
nginx not running? (check /var/run/nginx.pid).

SirDice · Apr 30, 2018

The reason it's giving you errors is because you're running the tests as a regular user. The pid is root owned and I suspect part of the test is to see if the pid file is writable (which only root is allowed to do).

Just use this:

Code:

root@armitage:~ # service nginx configtest
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

daBee · Apr 30, 2018

OK, this sounds good. I thought because it's running as non-root, that it would not barf at me trying to do those tests. I would have thought that the maintainer (or the nginx people) would think that the "run as root" vs "pid view needs root" and figured that out.

I've updated my last post, as the test you give, works for me on my Mac box. FreeBSD gives me permissions errors as this user (admin) can't force the test to run as root without sudo. Hence confusing. Two different models.

daBee · Apr 30, 2018

Even more confusing:

Code:

[Mon Apr 30 12:13:40 adminuser@serverbox /var/run] service nginx status
nginx is not running.

drhowarddrfine · May 1, 2018

To be clear, nginx must run as root. Are you doing that? I'm confused by your posts.

SirDice · May 1, 2018

Yes, it's good to stress this. All services are started as root but a lot of services will lower their privileges once started. A good example is this case, nginx is started as root but as soon as the ports have been opened, pidfile written, log files opened etc, will drop its privileges to the www user. Webservers typically must be started as root because only root can open (network) ports below 1024.

daBee · May 1, 2018

drhowarddrfine said:
To be clear, nginx must run as root. Are you doing that? I'm confused by your posts.

I have been told numerous times that I should never run nginx as root. I personally don't mind running it as root or not. I just want some clarity.

daBee · May 1, 2018

SirDice said:
Yes, it's good to stress this. All services are started as root but a lot of services will lower their privileges once started. A good example is this case, nginx is started as root but as soon as the ports have been opened, pidfile written, log files opened etc, will drop its privileges to the www user. Webservers typically must be started as root because only root can open (network) ports below 1024.

Ah that makes sense. I'll give it a whirl today with root in the conf.

joneum@ · May 1, 2018

daBee said:
Hi folks.

[..]

So I'm confused again, as I have been in the past. The maintainer for nginx did not reply to me on this. I submitted it personally, never got an answer. [..]

When did you send me an email? It is always better to ask here in the forum. Or to open a PR

daBee · May 1, 2018

Months ago. I was told they would get back to me. I replied a couple of weeks later, with no reply.

SirDice · May 1, 2018

daBee said:
I'll give it a whirl today with root in the conf.

No, that would be a bad idea as this will make it run as root for everything and this is considered a huge security risk. You start the thing as root but it actually runs on the www account. So don't make those changes, leave this as-is (it does the right thing by default).

daBee · May 1, 2018

So I'm right back at the very beginning. So what do I do? I keep getting conflicting information. Second, if it's in the proper configuration, why would nginx -t fail without using sudo?

SirDice · May 1, 2018

You start the service as root: service nginx start. But once it's started privileges will be dropped to www. Setting the user inside nginx.conf isn't needed, that option is given as a parameter by the rc(8) script that starts the service. Privileges are dropped after nginx has opened the pidfile, logfiles and ports.

daBee said:
Second, if it's in the proper configuration, why would nginx -t fail without using sudo?

Because the test tries to open the pidfile for writing and only root is allowed to do that.

daBee · May 1, 2018

Yes, understood. That is a continuity issue with how it's supposed to work as non-root. Just saying, it only adds to the confusion. "Don't run as root. When tested as non-root, permissions error."

JRWoodward MSW · Feb 9, 2019

I had a similar error message. My nginx.conf was creating the nginx.pid file in "logs". It needs to be in /var/run for service nginx start/stop to run. I commented out the line near the top that assigned nginx.pid to "logs" and it was created where it was supposed to be.

nginx Permissions Clarification

daBee

SirDice

Administrator

daBee

SirDice

Administrator

daBee

SirDice

Administrator

daBee

daBee

drhowarddrfine

SirDice

Administrator

daBee

daBee

joneum@

daBee

SirDice

Administrator

daBee

SirDice

Administrator

daBee

JRWoodward MSW