Setcap issues with nginx

The_Shambler · 2013-04-25 15:19:05

Hello,

I've been trying to set up an nginx server and followed the tutorial on chroot-ing (https://wiki.archlinux.org/index.php/Nginx) and all. I have been running into an issue when starting the server and I think that my problem lies with the fact that I haven't been able to run setcap on my nginx file. I had found this thread (https://bbs.archlinux.org/viewtopic.php?id=159333) but am still getting an error when the solution to that thread is offered...

This is the output of when I run systemctl start nginx:

nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/etc/systemd/system/nginx.service; enabled)
   Active: failed (Result: exit-code) since Wed 2013-04-24 20:12:11 CDT; 7min ago
  Process: 10519 ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g pid /run/nginx.pid; daemon on; master_process on; (code=exited, status=1/FAILURE)

Apr 24 20:12:10 alarm systemd[1]: Starting A high performance web server and a reverse proxy server...
Apr 24 20:12:11 alarm chroot[10519]: nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
Apr 24 20:12:11 alarm chroot[10519]: nginx: configuration file /etc/nginx/nginx.conf test failed
Apr 24 20:12:11 alarm systemd[1]: nginx.service: control process exited, code=exited status=1
Apr 24 20:12:11 alarm systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Apr 24 20:12:11 alarm systemd[1]: MESSAGE=Unit nginx.service entered failed state.

When I attempt to use setcap using the following:

setcap cap_net_bind_service=+ep /srv/http/usr/sbin/nginx

I get this is an error:

Failed to set capabilities on file '/srv/http/usr/sbin/nginx' (Operation not supported)
usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

Note <filename> must be a regular (non-symlink) file.

I've been trying to figure out what to do, but am kind of hitting a wall. I would appreciate any help on this topic if possible, and I'm hoping its something simple that I'm missing/forgetting.

Thanks for the help in advance

Stebalien · 2013-04-25 15:49:01

The error is pretty self explanatory. '/srv/http/usr/sbin/nginx' is a symlink and you need to run setcap on the file to which it points.

The_Shambler · 2013-04-25 16:24:05

I understand that and double checked the instructions on how /srv/http/usr/sbin/nginx gets populated.

To get nginx into /srv/http/usr/sbin, I did the following:

cp /usr/sbin/nginx /srv/http/usr/sbin/

I can run 'stat' on the file to double check (at least I think that's the method... also at work now, so try when I get home), but it would seem like 'cp' wouldn't create a symlink.

Could there be something else that could be causing the error?

votacom · 2013-10-02 01:17:56

I have the same problem: I followed the "Installation in a chroot" tutorial step by step, but

setcap 'cap_net_bind_service=+ep' $JAIL/usr/bin/nginx

returns

JAIL/usr/bin/nginxFailed to set capabilities on file `/srv/http/usr/bin/nginx' (Operation not supported)
usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

 Note <filename> must be a regular (non-symlink) file.

although the file is definitely no symlink:

$ stat $JAIL/usr/bin/nginx 

  File: ‘/srv/http/usr/bin/nginx’
  Size: 797008          Blocks: 1568       IO Block: 4096   regular file
Device: 802h/2050d      Inode: 89502       Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2013-10-02 02:48:48.577057281 +0200
Modify: 2013-10-02 02:36:09.177236025 +0200
Change: 2013-10-02 02:40:46.622042043 +0200
 Birth: -

cfr · 2013-10-02 01:39:05

Probably obvious, but you are trying with root privileges, right? I ask because you ran stat as a regular user. That's fine, of course. But there's no indicator for setcap.

votacom · 2013-10-02 02:05:36

A reboot solved the problem, setcap works fine now.

(i did everything as root, also stat)

The_Shambler · 2013-10-03 15:50:53

After re-trying the whole process a few times (process being the nginx arch tutorial), I was unsuccessful at getting the SETCAP error to resolve. I tried a reboot and did a 'pacman -Syu' just this morning. I'm still unable to get this to work for me in the JAIL setup.

In case anyone has any more ideas, aside from votacom's solution, I'd be more than happy to try. If it helps, my kernel is 3.11.3-1-ARCH. I have been successful (and have been using) nginx in it's normal environment instead of in a chroot. For my purposes, it's not a big deal to have it outside the jail; however, it has frustrated me that I couldn't get this to work.

The output from when I run

# setcap 'cap_net_bind_service=+ep' $JAIL/usr/bin/nginx

spits out this error:

Failed to set capabilities on file `/srv/http/usr/bin/nginx' (Operation not supported)
usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

 Note <filename> must be a regular (non-symlink) file.

And this is what happens when I run stat:

  File: ‘/srv/http/usr/bin/nginx’
  Size: 1071060   	Blocks: 2104       IO Block: 4096   regular file
Device: 811h/2065d	Inode: 97995       Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2013-10-03 06:38:54.000000000 -0500
Modify: 2013-07-17 13:44:10.000000000 -0500
Change: 2013-07-17 14:31:41.000000000 -0500
 Birth: -

**It should be noted that when I was working on setting up the jail, I was working as root.

Arch Linux

#1 2013-04-25 15:19:05

Setcap issues with nginx

#2 2013-04-25 15:49:01

Re: Setcap issues with nginx

#3 2013-04-25 16:24:05

Re: Setcap issues with nginx

#4 2013-10-02 01:17:56

Re: Setcap issues with nginx

#5 2013-10-02 01:39:05

Re: Setcap issues with nginx

#6 2013-10-02 02:05:36

Re: Setcap issues with nginx

#7 2013-10-03 15:50:53

Re: Setcap issues with nginx

Board footer