Bug 1371767

Summary: Cannot launch rh-nginx18 nginx master process as non-root user
Product: Red Hat Software Collections Reporter: Ryan Sawhill <rsawhill>
Component: rh-nginx18Assignee: Luboš Uhliarik <luhliari>
Status: CLOSED EOL QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: medium Docs Contact:
Priority: medium    
Version: rh-nginx18CC: bperkins, dmulford, jkaluza, luhliari, pragshar, qe-baseos-apps, rsawhill
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1371626 Environment:
Last Closed: 2018-12-03 09:19:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
sample tmp nginx.conf none

Description Ryan Sawhill 2016-08-31 03:46:11 UTC 
Created attachment 1196160 [details]
sample tmp nginx.conf

+++ This bug was initially created as a clone of Bug #1371626 +++

DESCRIPTION OF PROBLEM:
Due to configure arguments, non-root users cannot run nginx.
Of course nginx has the user directive (http://nginx.org/en/docs/ngx_core_module.html#user) to configure worker process user & group but non-root users directly launching unprivileged nginx instances is a legitimate use-case that nginx is designed to support.

Version-Release number of selected component (if applicable):
nginx 1.8.1-1.el7 (or el6)

HOW REPRODUCIBLE:
Always

STEPS TO REPRODUCE:
1. yum install rh-nginx18
2. Save minimal conf file from https://www.exratione.com/2014/03/running-nginx-as-a-non-root-user/ to /tmp/nginx.conf and then delete the mime.types line -- `sed -i /mime/d /tmp/nginx.conf`
     (Alternatively, download attached config which is the same)
3. Notice that the config appropriately resets pid & access_log & error_log and others to /tmp/xxx
4. Try executing as as non-root user
   useradd webperson
   su - webperson
   scl enable rh-nginx18 -- nginx -c /tmp/nginx.conf

ACTUAL RESULTS:
[webperson@a72 ~]$ scl enable rh-nginx18 -- nginx -c /tmp/nginx.conf
nginx: [alert] could not open error log file: open() "/var/opt/rh/rh-nginx18/log/nginx/error.log" failed (13: Permission denied)
2016/08/30 23:16:25 [emerg] 2695#0: mkdir() "/var/opt/rh/rh-nginx18/lib/nginx/tmp/proxy" failed (13: Permission denied)

EXPECTED RESULTS:
nginx should start up, daemonize, spawn worker processes, and begin handling requests, having never tried to do open anything in /var/opt/rh. Should be able to see processes with `ps -FC nginx` or `lsof -c nginx`.

ADDITIONAL INFO:
The error_log option doesn't seem to be overriding the --error-log-path option as it should according to the nginx documentation (https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions). Same goes for the --http-proxy-temp-path option. Interestingly, if you run this same config as root and then look at lsof, no /var/opt/rh files are opened -- you can see the access & error logs open in /tmp, e.g.:

~~~
[root@a72 tmp]# scl enable rh-nginx18 -- nginx -c /tmp/nginx.conf
[root@a72 tmp]# lsof -c nginx | egrep '/tmp|/opt'
nginx   2895  root  cwd   DIR  253,0     4096 50331777 /tmp
nginx   2895  root  txt   REG  253,0  2318776 18074163 /opt/rh/rh-nginx18/root/usr/sbin/nginx
nginx   2895  root    2w  REG  253,0        0 51325837 /tmp/error.log
nginx   2895  root    4w  REG  253,0        0 51325837 /tmp/error.log
nginx   2895  root    5w  REG  253,0        0 51325838 /tmp/access.log
nginx   2896 nginx  cwd   DIR  253,0     4096 50331777 /tmp
nginx   2896 nginx  txt   REG  253,0  2318776 18074163 /opt/rh/rh-nginx18/root/usr/sbin/nginx
nginx   2896 nginx    2w  REG  253,0        0 51325837 /tmp/error.log
nginx   2896 nginx    4w  REG  253,0        0 51325837 /tmp/error.log
nginx   2896 nginx    5w  REG  253,0        0 51325838 /tmp/access.log
~~~

Here is the nginx -V output:

~~~
[root@a72 tmp]# scl enable rh-nginx18 -- nginx -V
nginx version: nginx/1.8.1
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/opt/rh/rh-nginx18/root/usr/share/nginx --sbin-path=/opt/rh/rh-nginx18/root/usr/sbin/nginx --conf-path=/etc/opt/rh/rh-nginx18/nginx/nginx.conf --error-log-path=/var/opt/rh/rh-nginx18/log/nginx/error.log --http-log-path=/var/opt/rh/rh-nginx18/log/nginx/access.log --http-client-body-temp-path=/var/opt/rh/rh-nginx18/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/opt/rh/rh-nginx18/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/opt/rh/rh-nginx18/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/opt/rh/rh-nginx18/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/opt/rh/rh-nginx18/lib/nginx/tmp/scgi --pid-path=/var/opt/rh/rh-nginx18/run/nginx/nginx.pid --lock-path=/var/opt/rh/rh-nginx18/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-pcre --add-module=./passenger-4.0.50/ext/nginx --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
~~~
Comment 5 Joe Orton 2018-10-01 09:16:56 UTC 
Red Hat does not currently plan to provide any further changes to this collection in a Red Hat Software Collections update release.

This software collection is nearing the retirement date (November 2018) after which customers are encouraged to upgrade to a later release.

Please contact Red Hat Support if you have further questions, or refer to the support lifecycle page for more information. https://access.redhat.com/support/policy/updates/rhscl/
Comment 6 Joe Orton 2018-12-03 09:19:08 UTC 
In accordance with the Red Hat Software Collections Product Life Cycle, the support period for this collection has ended.

New bug fix, enhancement, and security errata updates, as well as technical support services will no longer be made available for this collection.

Customers are encouraged to upgrade to a later release.

Please contact Red Hat Support if you have further questions, or refer to the support lifecycle page for more information. https://access.redhat.com/support/policy/updates/rhscl/