You are not logged in.
Pages: 1
Hi all,
I have Arch Linux running on a VPS. I managed to install nginx in a chroot environment as described by the documentation. Everything works well for now except SSL.
The problem I have is that nginx now run as http user therefore I need to change the ownership of my ssl key file otherwise nginx can't read it and raise an error. I did install nginx in a chroot for security purposes but now I have my ssl key no longer owned by root and I feel like this is less secure if my server is compromised. Is that true ?
Thanks in advance,
Charlie
Offline
Ubuntu have a sensible way of handling this - a group named "ssl-cert".
Put your http user in the ssl-cert group.
Cert key file properties should then be:
* chmod 640
* chown root:ssl-cert
Offline
Ubuntu have a sensible way of handling this - a group named "ssl-cert".
Put your http user in the ssl-cert group.
Cert key file properties should then be:
* chmod 640
* chown root:ssl-cert
How is this better then chgrp-ing to http? @ts; are you sure the chroot caused this? I'm pretty sure nginx reads the private-key as root, before dropping privileges.
Offline
How is this better then chgrp-ing to http?
When the private key is used by *multiple* server processes, not just a webserver.
E.g.: LDAP server, Jabber server, Mailserver.
Offline
Archlinux doesn't come with a ssl-cert group. How should I process ?
@Spider.007 : from Arch nginx documentation under 'Installation in a chroot section' : "Arch comes with an http user and group by default which will run the server."
Last edited by lichar (2015-06-21 01:02:08)
Offline
groupadd --system ssl-cert
However, to keep things as simple as possible, just stick with the http user and group for now.
Use the chown and chmod commands. E.g.:
chown root:http mycert.key
chmod 640 mycert.key
Offline
[...]
@Spider.007 : from Arch nginx documentation under 'Installation in a chroot section' : "Arch comes with an http user and group by default which will run the server."
But did you keeping the private key owned by root? The documentation is incomplete; have a look at the user that runs the nginx master process (hint; it's not http)
Last edited by Spider.007 (2015-06-21 13:38:31)
Offline
@Spider.007 :
ps -aux | grep nginx
http 11919 0.0 0.0 23896 1096 ? Ss Jun20 0:00 nginx: master process /usr/bin/nginx -g pid /run/nginx.pid; daemon on; master_process on;
http 11920 0.0 0.2 25728 6996 ? S Jun20 0:09 nginx: worker process
root 14027 0.0 0.0 73252 0 ? Ss Apr09 0:00 nginx: master process /usr/sbin/nginx
I see two master processes. One for root and the other for http. Seems to be a problem here no ?
EDIT
I killed the old nginx process from Apr09. Now I only have one master process and one worker process both run by http user.
If I keep the private key owned by root nginx raise an error when I start/reload it using systemd.
@brebs: I know I can add a group but I thought you were talking about a specific group that has specific "rules".
Eventually I thought that my ssl key is in the chroot (what a surprise ^^) which means that to navigate through that folder a user needs root privileges or be part of http. However why is
chown root:http
more secure than changing ownership only to http ?
Last edited by lichar (2015-06-23 18:02:11)
Offline
... more secure than changing ownership only to http ?
I was just giving you a perfectly reasonable and sensible example.
Offline
Pages: 1