subject:"nginx log uid\/gid"

Re: nginx log uid/gid

2018-05-10 Thread Maxim Dounin

Hello!

On Wed, May 09, 2018 at 11:00:54AM -0400, Lubos Uhliarik wrote:

> Hello nginx devel list,
> 
> I'm experiencing following situation. When nginx is started, it creates logs 
> in its log directory with following permissions:
> 
> # ls -la /var/log/nginx
> total 12
> drwxrwx---. 2 nginx root 4096 May  9 09:59 .
> drwxr-xr-x. 9 root  root 4096 May  9 07:01 ..
> -rw-r--r--. 1 root  root0 May  9 09:59 access.log
> -rw-r--r--. 1 root  root  374 May  9 09:59 error.log
> 
> But when I send USR1 signal to nginx master process (for log rotation), it 
> creates files with different owner (user specified
> in nginx configuration - in this case "nginx" user).
> 
> # rm /var/log/nginx/*.log
> # systemctl kill --signal=USR1 nginx
> # ls -la /var/log/nginx
> total 8
> drwxrwx---. 2 nginx root 4096 May  9 10:02 .
> drwxr-xr-x. 9 root  root 4096 May  9 07:01 ..
> -rw-r--r--. 1 nginx root0 May  9 10:02 access.log
> -rw-r--r--. 1 nginx root0 May  9 10:02 error.log
> 
> Is this behavior desired? I guess so, since in 
> /src/os/unix/ngx_process_cycle.c is:
> 
> if (ngx_reopen) {
> ngx_reopen = 0;
> ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reopening logs");
> ngx_reopen_files(cycle, ccf->user);
> ngx_signal_worker_processes(cycle,
> ngx_signal_value(NGX_REOPEN_SIGNAL));
> }
> 
> ngx_reopen_files function call has second param set (ccf->user), which is in 
> all other
> cases -1. Why do you change owner only after processing USR1 signal? This 
> causes problem,
> when nginx is restarted:

After the USR1 signal nginx have to ensure that already running 
worker processess will be able to open new log files for writing.  
To do so, it ensures that files are owned by the nginx user, and 
have at least 0600 access mode.

(Note well that by using nginx:root on /var/log/nginx you are 
allowing privilage escalation similar to one previously seen in 
Debian packages, see CVE-2016-1247.)

> # systemctl restart nginx
> Job for nginx.service failed because the control process exited with error 
> code.
> See "systemctl status nginx.service" and "journalctl -xe" for details.
> 
> # systemctl status nginx.service
> ● nginx.service - The nginx HTTP and reverse proxy server
>Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor 
> preset: disabled)
>Active: failed (Result: exit-code) since Wed 2018-05-09 10:12:21 EDT; 5s 
> ago
>   Process: 1805 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
>   Process: 1817 ExecStartPre=/usr/sbin/nginx -t (code=exited, 
> status=1/FAILURE)
>   Process: 1816 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, 
> status=0/SUCCESS)
>  Main PID: 1806 (code=exited, status=0/SUCCESS)
> 
> May 09 10:12:21 host-172-16-36-25 systemd[1]: Starting The nginx HTTP and 
> reverse proxy server...
> May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: [alert] could not open 
> error log file: open() "/var/log/nginx/error.log" failed (13: Permission 
> denied)
> May 09 10:12:21 host-172-16-36-25 nginx[1817]: 2018/05/09 10:12:21 [warn] 
> 1817#0: could not build optimal types_hash, you should increase either 
> types_hash_max_size: 2048 o>
> May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: the configuration file 
> /etc/nginx/nginx.conf syntax is ok
> May 09 10:12:21 host-172-16-36-25 nginx[1817]: 2018/05/09 10:12:21 [emerg] 
> 1817#0: open() "/var/log/nginx/error.log" failed (13: Permission denied)
> May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: configuration file 
> /etc/nginx/nginx.conf test failed
> May 09 10:12:21 host-172-16-36-25 systemd[1]: nginx.service: Control process 
> exited, code=exited status=1
> May 09 10:12:21 host-172-16-36-25 systemd[1]: nginx.service: Failed with 
> result 'exit-code'.
> May 09 10:12:21 host-172-16-36-25 systemd[1]: Failed to start The nginx HTTP 
> and reverse proxy server.
> 
> This is a problem with SELinux (dac_override). Since master process runs as 
> root, /var/log/nginx has ownership nginx:root,
> permissions 770 and NGX_FILE_DEFAULT_ACCESS is 644 for newly created logs.
> 
> One possible solution is to set different permission mode for newly created 
> logs (664 with nginx:root ownership) or do not set
> owner of log files to nginx user (which had probably some reason in past 
> because of extra param in ngx_reopen_files).

If needed in a particular setup, log files can be pre-created with 
desired permissions before instructing nginx to reopen them via 
USR1.

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

nginx log uid/gid

2018-05-09 Thread Lubos Uhliarik

Hello nginx devel list,

I'm experiencing following situation. When nginx is started, it creates logs in 
its log directory with following permissions:

# ls -la /var/log/nginx
total 12
drwxrwx---. 2 nginx root 4096 May  9 09:59 .
drwxr-xr-x. 9 root  root 4096 May  9 07:01 ..
-rw-r--r--. 1 root  root0 May  9 09:59 access.log
-rw-r--r--. 1 root  root  374 May  9 09:59 error.log

But when I send USR1 signal to nginx master process (for log rotation), it 
creates files with different owner (user specified
in nginx configuration - in this case "nginx" user).

# rm /var/log/nginx/*.log
# systemctl kill --signal=USR1 nginx
# ls -la /var/log/nginx
total 8
drwxrwx---. 2 nginx root 4096 May  9 10:02 .
drwxr-xr-x. 9 root  root 4096 May  9 07:01 ..
-rw-r--r--. 1 nginx root0 May  9 10:02 access.log
-rw-r--r--. 1 nginx root0 May  9 10:02 error.log

Is this behavior desired? I guess so, since in /src/os/unix/ngx_process_cycle.c 
is:

if (ngx_reopen) {
ngx_reopen = 0;
ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reopening logs");
ngx_reopen_files(cycle, ccf->user);
ngx_signal_worker_processes(cycle,
ngx_signal_value(NGX_REOPEN_SIGNAL));
}

ngx_reopen_files function call has second param set (ccf->user), which is in 
all other
cases -1. Why do you change owner only after processing USR1 signal? This 
causes problem,
when nginx is restarted:

# systemctl restart nginx
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.

# systemctl status nginx.service
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor 
preset: disabled)
   Active: failed (Result: exit-code) since Wed 2018-05-09 10:12:21 EDT; 5s ago
  Process: 1805 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 1817 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
  Process: 1816 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, 
status=0/SUCCESS)
 Main PID: 1806 (code=exited, status=0/SUCCESS)

May 09 10:12:21 host-172-16-36-25 systemd[1]: Starting The nginx HTTP and 
reverse proxy server...
May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: [alert] could not open 
error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
May 09 10:12:21 host-172-16-36-25 nginx[1817]: 2018/05/09 10:12:21 [warn] 
1817#0: could not build optimal types_hash, you should increase either 
types_hash_max_size: 2048 o>
May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: the configuration file 
/etc/nginx/nginx.conf syntax is ok
May 09 10:12:21 host-172-16-36-25 nginx[1817]: 2018/05/09 10:12:21 [emerg] 
1817#0: open() "/var/log/nginx/error.log" failed (13: Permission denied)
May 09 10:12:21 host-172-16-36-25 nginx[1817]: nginx: configuration file 
/etc/nginx/nginx.conf test failed
May 09 10:12:21 host-172-16-36-25 systemd[1]: nginx.service: Control process 
exited, code=exited status=1
May 09 10:12:21 host-172-16-36-25 systemd[1]: nginx.service: Failed with result 
'exit-code'.
May 09 10:12:21 host-172-16-36-25 systemd[1]: Failed to start The nginx HTTP 
and reverse proxy server.

This is a problem with SELinux (dac_override). Since master process runs as 
root, /var/log/nginx has ownership nginx:root,
permissions 770 and NGX_FILE_DEFAULT_ACCESS is 644 for newly created logs.

One possible solution is to set different permission mode for newly created 
logs (664 with nginx:root ownership) or do not set
owner of log files to nginx user (which had probably some reason in past 
because of extra param in ngx_reopen_files).

Thank you for your help or advice!

Best,

--
Lubos Uhliarik
Software Engineer - EMEA ENG Developer Experience
RH - Brno - TPB-C - 1D221
IRC: zero_byte at irc.freenode.net

RED HAT | TRIED. TESTED. TRUSTED.
Every airline in the Fortune 500 relies on Red Hat.
Find out why at http://www.redhat.com/en/about/trusted

Red Hat Inc. http://cz.redhat.com
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: nginx log uid/gid

nginx log uid/gid

2 matches

Site Navigation

Mail list logo

Footer information