Hello nginx devel list, I'm experiencing following situation. When nginx is started, it creates logs in its log directory with following permissions:
# ls -la /var/log/nginx total 12 drwxrwx---. 2 nginx root 4096 May 9 09:59 . drwxr-xr-x. 9 root root 4096 May 9 07:01 .. -rw-r--r--. 1 root root 0 May 9 09:59 access.log -rw-r--r--. 1 root root 374 May 9 09:59 error.log But when I send USR1 signal to nginx master process (for log rotation), it creates files with different owner (user specified in nginx configuration - in this case "nginx" user). # rm /var/log/nginx/*.log # systemctl kill --signal=USR1 nginx # ls -la /var/log/nginx total 8 drwxrwx---. 2 nginx root 4096 May 9 10:02 . drwxr-xr-x. 9 root root 4096 May 9 07:01 .. -rw-r--r--. 1 nginx root 0 May 9 10:02 access.log -rw-r--r--. 1 nginx root 0 May 9 10:02 error.log Is this behavior desired? I guess so, since in /src/os/unix/ngx_process_cycle.c is: if (ngx_reopen) { ngx_reopen = 0; ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reopening logs"); ngx_reopen_files(cycle, ccf->user); ngx_signal_worker_processes(cycle, ngx_signal_value(NGX_REOPEN_SIGNAL)); } ngx_reopen_files function call has second param set (ccf->user), which is in all other cases -1. Why do you change owner only after processing USR1 signal? This causes problem, when nginx is restarted: # systemctl restart nginx Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details. # systemctl status nginx.service ● nginx.service - The nginx HTTP and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2018-05-09 10:12:21 EDT; 5s ago Process: 1805 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS) Process: 1817 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE) Process: 1816 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS) Main PID: 1806 (code=exited, status=0/SUCCESS) May 09 10:12:21 host-172-16-36-25 systemd[1]: Starting The nginx HTTP and reverse proxy server... May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied) May 09 10:12:21 host-172-16-36-25 nginx[1817]: 2018/05/09 10:12:21 [warn] 1817#0: could not build optimal types_hash, you should increase either types_hash_max_size: 2048 o> May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok May 09 10:12:21 host-172-16-36-25 nginx[1817]: 2018/05/09 10:12:21 [emerg] 1817#0: open() "/var/log/nginx/error.log" failed (13: Permission denied) May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: configuration file /etc/nginx/nginx.conf test failed May 09 10:12:21 host-172-16-36-25 systemd[1]: nginx.service: Control process exited, code=exited status=1 May 09 10:12:21 host-172-16-36-25 systemd[1]: nginx.service: Failed with result 'exit-code'. May 09 10:12:21 host-172-16-36-25 systemd[1]: Failed to start The nginx HTTP and reverse proxy server. This is a problem with SELinux (dac_override). Since master process runs as root, /var/log/nginx has ownership nginx:root, permissions 770 and NGX_FILE_DEFAULT_ACCESS is 644 for newly created logs. One possible solution is to set different permission mode for newly created logs (664 with nginx:root ownership) or do not set owner of log files to nginx user (which had probably some reason in past because of extra param in ngx_reopen_files). Thank you for your help or advice! Best, -- Lubos Uhliarik Software Engineer - EMEA ENG Developer Experience RH - Brno - TPB-C - 1D221 IRC: zero_byte at irc.freenode.net RED HAT | TRIED. TESTED. TRUSTED. Every airline in the Fortune 500 relies on Red Hat. Find out why at http://www.redhat.com/en/about/trusted Red Hat Inc. http://cz.redhat.com _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel