Hi All,
I have hosted a nginx server instance and the temp directories are created under /etc/nginx/
$ ls -ld /etc/nginx/*_temp
drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/client_body_temp
drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/fastcgi_temp
drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/proxy_temp
drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/scgi_temp
drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/uwsgi_temp
And I updated to a newer version of nginx which runs in "nginx" user context and after that these directory ownership is getting changed to nginx:root but the issue is, it happens only on these top directories and not directories within these temp directories.
I did strace on the same to confirm my theory.
mkdir("/etc/nginx/client_body_temp", 0700) = -1 EEXIST (File exists)
stat("/etc/nginx/client_body_temp", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
chown("/etc/nginx/client_body_temp", 997, -1) = 0
mkdir("/etc/nginx/proxy_temp", 0700) = -1 EEXIST (File exists)
stat("/etc/nginx/proxy_temp", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
chown("/etc/nginx/proxy_temp", 997, -1) = 0
mkdir("/etc/nginx/fastcgi_temp", 0700) = -1 EEXIST (File exists)
stat("/etc/nginx/fastcgi_temp", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
chown("/etc/nginx/fastcgi_temp", 997, -1) = 0
mkdir("/etc/nginx/uwsgi_temp", 0700) = -1 EEXIST (File exists)
stat("/etc/nginx/uwsgi_temp", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
chown("/etc/nginx/uwsgi_temp", 997, -1) = 0
mkdir("/etc/nginx/scgi_temp", 0700) = -1 EEXIST (File exists)
stat("/etc/nginx/scgi_temp", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
Now the issue is, why chown happens only on top directory and not recursively on all files and directories inside them? Is this a bug or is it fixed in latest version of nginx?
I'm currently using nginx-1.22.0. Any help would be appreciated. Thanks.
--
Shedi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230316/93705543/attachment.htm>
Hi there,
On Thu, Mar 16, 2023 at 06:19:42PM +0000, Shreenidhi Shedi via nginx wrote:
>
> I have hosted a nginx server instance and the temp directories are created
> under /etc/nginx/
>
> $ ls -ld /etc/nginx/*_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/client_body_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/fastcgi_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/proxy_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/scgi_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/uwsgi_temp
Could you share an output of the following command:
% nginx -V
> I'm currently using nginx-1.22.0. Any help would be appreciated. Thanks.
I assume that's official package from the following distribution point,
the http://nginx.org/en/linux_packages.html. And if not, how's that
nginx and packages have been built.
Thank you.
--
Sergey A. Osokin
Hi,
Thanks for the response.
I'm using nginx from Photon OS.
https://github.com/vmware/photon/blob/3.0/SPECS/nginx/nginx.spec
Please see the changelog between v1.16.1-6 and v1.16.1-7
--
Shedi
________________________________
From: Sergey A. Osokin <osa at freebsd.org.ru>
Sent: 17 March 2023 00:11
To: Shreenidhi Shedi via nginx <nginx at nginx.org>
Cc: Shreenidhi Shedi <sshedi at vmware.com>
Subject: Re: Changing ownership of proxy_temp and other temp directories
!! External Email
Hi there,
On Thu, Mar 16, 2023 at 06:19:42PM +0000, Shreenidhi Shedi via nginx wrote:
>
> I have hosted a nginx server instance and the temp directories are created
> under /etc/nginx/
>
> $ ls -ld /etc/nginx/*_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/client_body_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/fastcgi_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/proxy_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/scgi_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/uwsgi_temp
Could you share an output of the following command:
% nginx -V
> I'm currently using nginx-1.22.0. Any help would be appreciated. Thanks.
I assume that's official package from the following distribution point,
the https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fnginx.org%2Fen%2Flinux_packages.html&data=05%7C01%7Csshedi%40vmware.com%7Cbfc91307f7744b86824408db264e2479%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C638145889319995895%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BWlxln2Jx3yvB0wtvQtdov0FTHJknAPW1K%2BGDJ9WGeE%3D&reserved=0. And if not, how's that
nginx and packages have been built.
Thank you.
--
Sergey A. Osokin
!! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230316/725114bd/attachment-0001.htm>
Hi,
On Thu, Mar 16, 2023 at 07:05:20PM +0000, Shreenidhi Shedi wrote:
> I'm using nginx from Photon OS.
> https://github.com/vmware/photon/blob/3.0/SPECS/nginx/nginx.spec
>
> Please see the changelog between v1.16.1-6 and v1.16.1-7
Would you mind to share the following, thanks.
> Could you share an output of the following command:
> % nginx -V
Could you also share the output of the following command:
% nginx -T
Thank you.
--
Sergey A. Osokin
Hi,
On Thu, Mar 16, 2023 at 06:19:42PM +0000, Shreenidhi Shedi via nginx wrote:
>
> I have hosted a nginx server instance and the temp directories are created under /etc/nginx/
>
> $ ls -ld /etc/nginx/*_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/client_body_temp
[...]
>
> And I updated to a newer version of nginx which runs in "nginx" user
> context and after that these directory ownership is getting changed
> to nginx:root but the issue is, it happens only on these top
> directories and not directories within these temp directories.
>
> I did strace on the same to confirm my theory.
[strace is skipped]
It seems like previously nginx' worker process was running under
`nobody' user, so the directory structure has appropriate
permissions. The configuration setting was changed to `nginx'
user then, and when nginx main process started, it checked and
updated directories permissions according to the new settings.
> Now the issue is, why chown happens only on top directory and
> not recursively on all files and directories inside them?
Please take a look in the source code,
http://hg.nginx.org/nginx/file/tip/src/core/ngx_file.c#l598
> Is this a bug or is it fixed in latest version of nginx?
I don't think there's a bug in that part of the code.
As a workaround for the transition content to a new user, it's
easy to run an one line script to update permissions of those
directories.
> I'm currently using nginx-1.22.0. Any help would be appreciated.
I'd recommend to upgrade to the recent version in stable
branch, 1.22.1.
Thank you.
--
Sergey A. Osokin
Hi,
Here you go.
root at ph3dev:~ # nginx -V
nginx version: nginx/1.22.0
built by gcc 7.3.0 (GCC)
built with OpenSSL 1.0.2zg-fips 7 Feb 2023 (running with OpenSSL 1.0.2zg 7 Feb 2023)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --add-module=njs-0.7.5/nginx --with-http_ssl_module --with-pcre --with-ipv6 --with-stream --with-http_auth_request_module --with-http_sub_module --with-http_stub_status_module --with-http_v2_module --user=nginx --group=nginx
root at ph3dev:~ # nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
--
Shedi
________________________________
From: Sergey A. Osokin <osa at freebsd.org.ru>
Sent: 17 March 2023 02:46
To: nginx at nginx.org <nginx at nginx.org>
Cc: Shreenidhi Shedi <sshedi at vmware.com>
Subject: Re: Changing ownership of proxy_temp and other temp directories
!! External Email
Hi,
On Thu, Mar 16, 2023 at 06:19:42PM +0000, Shreenidhi Shedi via nginx wrote:
>
> I have hosted a nginx server instance and the temp directories are created under /etc/nginx/
>
> $ ls -ld /etc/nginx/*_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/client_body_temp
[...]
>
> And I updated to a newer version of nginx which runs in "nginx" user
> context and after that these directory ownership is getting changed
> to nginx:root but the issue is, it happens only on these top
> directories and not directories within these temp directories.
>
> I did strace on the same to confirm my theory.
[strace is skipped]
It seems like previously nginx' worker process was running under
`nobody' user, so the directory structure has appropriate
permissions. The configuration setting was changed to `nginx'
user then, and when nginx main process started, it checked and
updated directories permissions according to the new settings.
> Now the issue is, why chown happens only on top directory and
> not recursively on all files and directories inside them?
Please take a look in the source code,
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhg.nginx.org%2Fnginx%2Ffile%2Ftip%2Fsrc%2Fcore%2Fngx_file.c%23l598&data=05%7C01%7Csshedi%40vmware.com%7Ccc1606f4494b48ed496308db2663c194%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C638145982140985501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BnlexAGf4iaOhxIl0GnCZOGUfufWlJyuefJOFP%2Bvb6I%3D&reserved=0
> Is this a bug or is it fixed in latest version of nginx?
I don't think there's a bug in that part of the code.
As a workaround for the transition content to a new user, it's
easy to run an one line script to update permissions of those
directories.
> I'm currently using nginx-1.22.0. Any help would be appreciated.
I'd recommend to upgrade to the recent version in stable
branch, 1.22.1.
Thank you.
--
Sergey A. Osokin
!! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230317/8c3943a4/attachment-0001.htm>
Thanks for the response Sergey A. Osokin.
The problem is these temp locations are configurable parameters. So, from a spec file perspective it's hard to fetch these parameters and change the permissions.
As ngnix is already doing the task of changing permission of top directory, is there any problem the same recursively?
Sorry, I'm using outlook so I don't know how to reply below your message, so it's a bit difficult. Apologies for that.
--
Shedi
________________________________
From: Sergey A. Osokin <osa at freebsd.org.ru>
Sent: 17 March 2023 02:46
To: nginx at nginx.org <nginx at nginx.org>
Cc: Shreenidhi Shedi <sshedi at vmware.com>
Subject: Re: Changing ownership of proxy_temp and other temp directories
!! External Email
Hi,
On Thu, Mar 16, 2023 at 06:19:42PM +0000, Shreenidhi Shedi via nginx wrote:
>
> I have hosted a nginx server instance and the temp directories are created under /etc/nginx/
>
> $ ls -ld /etc/nginx/*_temp
> drwx------ 2 nobody root 4096 Mar 16 15:21 /etc/nginx/client_body_temp
[...]
>
> And I updated to a newer version of nginx which runs in "nginx" user
> context and after that these directory ownership is getting changed
> to nginx:root but the issue is, it happens only on these top
> directories and not directories within these temp directories.
>
> I did strace on the same to confirm my theory.
[strace is skipped]
It seems like previously nginx' worker process was running under
`nobody' user, so the directory structure has appropriate
permissions. The configuration setting was changed to `nginx'
user then, and when nginx main process started, it checked and
updated directories permissions according to the new settings.
> Now the issue is, why chown happens only on top directory and
> not recursively on all files and directories inside them?
Please take a look in the source code,
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhg.nginx.org%2Fnginx%2Ffile%2Ftip%2Fsrc%2Fcore%2Fngx_file.c%23l598&data=05%7C01%7Csshedi%40vmware.com%7Ccc1606f4494b48ed496308db2663c194%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C638145982140985501%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BnlexAGf4iaOhxIl0GnCZOGUfufWlJyuefJOFP%2Bvb6I%3D&reserved=0
> Is this a bug or is it fixed in latest version of nginx?
I don't think there's a bug in that part of the code.
As a workaround for the transition content to a new user, it's
easy to run an one line script to update permissions of those
directories.
> I'm currently using nginx-1.22.0. Any help would be appreciated.
I'd recommend to upgrade to the recent version in stable
branch, 1.22.1.
Thank you.
--
Sergey A. Osokin
!! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230317/71df953f/attachment.htm>
Hi Shedi,
On Fri, Mar 17, 2023 at 05:13:24AM +0000, Shreenidhi Shedi wrote:
> Thanks for the response Sergey A. Osokin.
>
> The problem is these temp locations are configurable parameters.
> So, from a spec file perspective it's hard to fetch these parameters
> and change the permissions.
>
> As ngnix is already doing the task of changing permission of top
> directory, is there any problem the same recursively?
I don't think I see a specific reason for nginx to do that, because
that may cause a delay with its start, but it's definitely
possible to:
o) implement a specific logic and rebuild nginx binary, also raise
a request in https://trac.nginx.org/ and submit a patch;
o) use other then /etc/nginx directory for temporary files, for
example /var/tmp/nginx, see ./configure output for details
Hope that helps.
Thank you.
--
Sergey A. Osokin
Thanks for the inputs but if user has different paths configured for these temp files in nginx.conf; then again this permssion issue pops up. I also referred Fedora nginx spec file and considered this possibility but it's a bit complex on an already configured and running server instance.
I have created a bug at https://trac.nginx.org/nginx/ticket/2469 and submitted a patch, please review it when you get time.
--
Shedi
________________________________
From: Sergey A. Osokin <osa at freebsd.org.ru>
Sent: 17 March 2023 19:56
To: Shreenidhi Shedi <sshedi at vmware.com>
Cc: nginx at nginx.org <nginx at nginx.org>
Subject: Re: Changing ownership of proxy_temp and other temp directories
!! External Email
Hi Shedi,
On Fri, Mar 17, 2023 at 05:13:24AM +0000, Shreenidhi Shedi wrote:
> Thanks for the response Sergey A. Osokin.
>
> The problem is these temp locations are configurable parameters.
> So, from a spec file perspective it's hard to fetch these parameters
> and change the permissions.
>
> As ngnix is already doing the task of changing permission of top
> directory, is there any problem the same recursively?
I don't think I see a specific reason for nginx to do that, because
that may cause a delay with its start, but it's definitely
possible to:
o) implement a specific logic and rebuild nginx binary, also raise
a request in https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrac.nginx.org%2F&data=05%7C01%7Csshedi%40vmware.com%7C233de8ff58d24c75955908db26f3989d%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C638146599941295693%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ldc9UpODK%2BitxiBnVrmSvXBdjwBk9HIqzRCX35Hr76w%3D&reserved=0 and submit a patch;
o) use other then /etc/nginx directory for temporary files, for
example /var/tmp/nginx, see ./configure output for details
Hope that helps.
Thank you.
--
Sergey A. Osokin
!! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230318/9d22606e/attachment.htm>