nginx Permissions Clarification

daBee

Active Member

Reaction score: 7
Messages: 190

Hi folks.

My workstation is a Mac (El Capitan), and I have a FreeBSD box on version 11.1 Release, running nginx on both. Both have the user commented out, yet I continue to get errors on the following commands on the FreeBSD box:

Code:
$ nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
$ nginx -s reload
nginx: [alert] kill(639, 1) failed (1: Operation not permitted)
nginx.pid is owned by root/wheel.

So I'm confused again, as I have been in the past. The maintainer for nginx did not reply to me on this. I submitted it personally, never got an answer. I think this is important as it's a root / user permissions issue on a major app. I'm thinking I'm missing something, and it's just me. But I'm still confused. I have no errors on my Mac workstation.

Can someone please shed some light on where I'm going wrong? Any insight appreciated.

Cheers
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,684
Messages: 30,622

Remove the PID file and remove the pid = line from nginx.conf.
 
OP
OP
daBee

daBee

Active Member

Reaction score: 7
Messages: 190

pid file already commented out. Removing it did nothing. Then I tried the following:

Code:
[Mon Apr 30 11:53:29 adminuser@serverbox /var/run] nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
[Mon Apr 30 11:53:41 adminuser@serverbox /var/run] sudo nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,684
Messages: 30,622

Use service nginx start to start it. Note that the rc(8) script checks the config before starting the server. If you just want to check the config, use service nginx configtest
 
OP
OP
daBee

daBee

Active Member

Reaction score: 7
Messages: 190

Oh it's running. It's always been running. That's not the issue. These errors are the issue. It's serving fine. /var/run/nginx.pid has been recreated, and serving fine. The admin commands provided, just keep giving me errors and I want to finally get a green light before moving on.

Sorry...furthermore...

Code:
[Mon Apr 30 12:01:07 adminuser@serverbox /var/run] service nginx configtest
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
edit, FYI, while the service is indeed running:

Code:
[Mon Apr 30 12:06:59 adminuser@serverbox /var/run] service nginx reload
nginx not running? (check /var/run/nginx.pid).
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,684
Messages: 30,622

The reason it's giving you errors is because you're running the tests as a regular user. The pid is root owned and I suspect part of the test is to see if the pid file is writable (which only root is allowed to do).

Just use this:
Code:
root@armitage:~ # service nginx configtest
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
 
OP
OP
daBee

daBee

Active Member

Reaction score: 7
Messages: 190

OK, this sounds good. I thought because it's running as non-root, that it would not barf at me trying to do those tests. I would have thought that the maintainer (or the nginx people) would think that the "run as root" vs "pid view needs root" and figured that out.

I've updated my last post, as the test you give, works for me on my Mac box. FreeBSD gives me permissions errors as this user (admin) can't force the test to run as root without sudo. Hence confusing. Two different models.
 
OP
OP
daBee

daBee

Active Member

Reaction score: 7
Messages: 190

Even more confusing:

Code:
[Mon Apr 30 12:13:40 adminuser@serverbox /var/run] service nginx status
nginx is not running.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,684
Messages: 30,622

Yes, it's good to stress this. All services are started as root but a lot of services will lower their privileges once started. A good example is this case, nginx is started as root but as soon as the ports have been opened, pidfile written, log files opened etc, will drop its privileges to the www user. Webservers typically must be started as root because only root can open (network) ports below 1024.
 
OP
OP
daBee

daBee

Active Member

Reaction score: 7
Messages: 190

To be clear, nginx must run as root. Are you doing that? I'm confused by your posts.
I have been told numerous times that I should never run nginx as root. I personally don't mind running it as root or not. I just want some clarity.
 
OP
OP
daBee

daBee

Active Member

Reaction score: 7
Messages: 190

Yes, it's good to stress this. All services are started as root but a lot of services will lower their privileges once started. A good example is this case, nginx is started as root but as soon as the ports have been opened, pidfile written, log files opened etc, will drop its privileges to the www user. Webservers typically must be started as root because only root can open (network) ports below 1024.
Ah that makes sense. I'll give it a whirl today with root in the conf.
 

joneum@

Member
Developer

Reaction score: 8
Messages: 41

Hi folks.

[..]

So I'm confused again, as I have been in the past. The maintainer for nginx did not reply to me on this. I submitted it personally, never got an answer. [..]
When did you send me an email? It is always better to ask here in the forum. Or to open a PR
 
OP
OP
daBee

daBee

Active Member

Reaction score: 7
Messages: 190

Months ago. I was told they would get back to me. I replied a couple of weeks later, with no reply.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,684
Messages: 30,622

I'll give it a whirl today with root in the conf.
No, that would be a bad idea as this will make it run as root for everything and this is considered a huge security risk. You start the thing as root but it actually runs on the www account. So don't make those changes, leave this as-is (it does the right thing by default).
 
OP
OP
daBee

daBee

Active Member

Reaction score: 7
Messages: 190

So I'm right back at the very beginning. So what do I do? I keep getting conflicting information. Second, if it's in the proper configuration, why would nginx -t fail without using sudo?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,684
Messages: 30,622

You start the service as root: service nginx start. But once it's started privileges will be dropped to www. Setting the user inside nginx.conf isn't needed, that option is given as a parameter by the rc(8) script that starts the service. Privileges are dropped after nginx has opened the pidfile, logfiles and ports.

Second, if it's in the proper configuration, why would nginx -t fail without using sudo?
Because the test tries to open the pidfile for writing and only root is allowed to do that.
 
OP
OP
daBee

daBee

Active Member

Reaction score: 7
Messages: 190

Yes, understood. That is a continuity issue with how it's supposed to work as non-root. Just saying, it only adds to the confusion. "Don't run as root. When tested as non-root, permissions error."
 

JRWoodward MSW

New Member


Messages: 1

I had a similar error message. My nginx.conf was creating the nginx.pid file in "logs". It needs to be in /var/run for service nginx start/stop to run. I commented out the line near the top that assigned nginx.pid to "logs" and it was created where it was supposed to be.
 
Top