Bug 1371626

Summary: Cannot run nginx16 as non-root user
Product: Red Hat Software Collections Reporter: David Mulford <dmulford>
Component: nginx16Assignee: Jan Kaluža <jkaluza>
Status: CLOSED EOL QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: nginx16CC: rsawhill
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1371767 (view as bug list) Environment:
Last Closed: 2017-03-31 15:02:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
sample nginx.conf none

Description David Mulford 2016-08-30 16:16:39 UTC 
Created attachment 1196011 [details]
sample nginx.conf

Description of problem:
Due to configure arguments, a user cannot completely run nginx as a non-root user.

Version-Release number of selected component (if applicable):
nginx 1.6.2

How reproducible:
Always

Steps to Reproduce:
1. Enable Red Hat Software Collections repository
2. Install with "yum install -y nginx16"
3. Use the attached nginx.conf file and run "/opt/rh/nginx16/root/sbin/nginx -c /tmp/nginx.conf" as a non-privileged user.

Actual results:
$ /opt/rh/nginx16/root/sbin/nginx -c /tmp/nginx.conf
nginx: [alert] could not open error log file: open() "/var/log/nginx16/error.log" failed (13: Permission denied)
2016/08/30 12:10:37 [emerg] 13899#0: mkdir() "/opt/rh/nginx16/root/var/lib/nginx/tmp/client_body" failed (13: Permission denied)

Expected results:
nginx should startup, spawn worker processes and begin handling requests.

Additional info:
The error_log option doesn't seem to be overriding the --error-log-path option as it should according to the nginx documentation [1]. Same goes for the --http-proxy-temp-path option.

Here is the nginx -V output:

nginx version: nginx/1.6.2
TLS SNI support enabled
configure arguments: --prefix=/opt/rh/nginx16/root/usr/share/nginx --sbin-path=/opt/rh/nginx16/root/usr/sbin/nginx --conf-path=/opt/rh/nginx16/root/etc/nginx/nginx.conf --error-log-path=/var/log/nginx16/error.log --http-log-path=/var/log/nginx16/access.log --http-client-body-temp-path=/opt/rh/nginx16/root/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/opt/rh/nginx16/root/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/opt/rh/nginx16/root/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/opt/rh/nginx16/root/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/opt/rh/nginx16/root/var/lib/nginx/tmp/scgi --pid-path=/opt/rh/nginx16/root/var/run/nginx/nginx.pid --lock-path=/opt/rh/nginx16/root/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-pcre --add-module=./passenger-4.0.50/ext/nginx --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

[1] https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions
Comment 1 David Mulford 2016-08-30 16:17:33 UTC 
The same is also true for rh-nginx18.
Comment 2 Ryan Sawhill 2016-08-31 03:48:06 UTC 
As nginx16 is being retired in October (https://access.redhat.com/support/policy/updates/rhscl/), I created a new rh-nginx18 bug for this:

Bug 1371767 - Cannot launch rh-nginx18 nginx master process as non-root user
Comment 3 Joe Orton 2016-10-12 12:52:33 UTC 
Red Hat does not currently plan to provide any further changes to this collection in a Red Hat Software Collections update release.

This software collection is nearing the retirement date (October 2016) after which customers are encouraged either to upgrade to a later release or continue on as self-supported without official Red Hat Support.

Please contact Red Hat Support if you have further questions, or refer to the support lifecycle page for more information. https://access.redhat.com/support/policy/updates/rhscl/
Comment 4 Joe Orton 2017-03-31 15:02:02 UTC 
In accordance with the Red Hat Software Collections Product Life Cycle, the support period for this collection has ended.

New bug fix, enhancement, and security errata updates, as well as technical support services will no longer be made available for this collection.

Customers are encouraged to upgrade to a later release.

Please contact Red Hat Support if you have further questions, or refer to the support lifecycle page for more information. https://access.redhat.com/support/policy/updates/rhscl/