You are not logged in.
- Topics: Active | Unanswered
#1 2019-05-13 07:08:13
- corpze
- Member
- Registered: 2019-05-13
- Posts: 3
I messed up file permissions. Nginx & logrotate.
So I started nginx and can't set good permissions for .crt and .key files which are owned by root now, cause i've read that user nginx runs as should not own any files so i've changed it to suggested as on wiki 440 for key and 444 for certificate (Nginx runs via systemd service as user http and says that it doesn't have perm to read those files). Another problem i have, I accidentially set /var/log to 644 (wanted to change /var/log/nginx) and now logrotate.service does not work too and I can't read journal as my daily user. Could somebody help me? I've been messing with permissions about an hour now and can't get everything to work.
Last edited by corpze (2019-05-13 07:10:50)
Offline
#2 2019-05-13 07:36:43
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 2,606
- Website
Re: I messed up file permissions. Nginx & logrotate.
1) Obviously the user in whose context nginx is running, needs to be able to read the keys and certificates in order to setup TLS.
I am not sure at this moment whether it is sufficient to let the respective files be owned by root or the substituted user http.
But your error description suggests that the latter is the case.
Update:
I just checked on our server. It is sufficient for root to be able to read the files.
Nginx obviously reads those before dropping privileges to the substituted user configured in /etc/nginx/nginx.conf.
2) Please post full error logs and the current permissions of the directory tree under /var/ log.
Last edited by schard (2019-05-13 08:17:57)
Inofficial first vice president of the Rust Evangelism Strike Force
Offline
#3 2019-05-14 11:34:51
- corpze
- Member
- Registered: 2019-05-13
- Posts: 3
Re: I messed up file permissions. Nginx & logrotate.
Nginx is started as user http (defined at drop-in for nginx.service not in nginx.conf). Error while starting says [emerg] 7762#7762: cannot load certificate "/etc/nginx/ssl/server.crt": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/nginx/ssl/server.crt','r') error:2006D002:BIO routines:BIO_>. Even after setting permissions to 755.
Logrotate repaired itself after reboot.
Okay, it was umask problem (i think). After setting to 022 for user root it works. Now it only can't read server.key so I'll figure it out from now on. Yep, solved .
Last edited by corpze (2019-05-14 11:44:12)
Offline
#4 2019-05-14 11:46:00
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 2,606
- Website
Re: I messed up file permissions. Nginx & logrotate.
Nginx is started as user http (defined at drop-in for nginx.service not in nginx.conf).
Why would you do that? Nginx needs to be root to e.g. bind privileged ports.
Inofficial first vice president of the Rust Evangelism Strike Force
Offline
#5 2019-05-14 11:51:30
- corpze
- Member
- Registered: 2019-05-13
- Posts: 3
Re: I messed up file permissions. Nginx & logrotate.
It doesn't need to be root if it has this ability via set "CAP_NET_BIND_SERVICE". Wiki says about rootless nginx here https://wiki.archlinux.org/index.php/Ng … ng_systemd.
Offline