Hide Forgot
Created attachment 1196160 [details] sample tmp nginx.conf +++ This bug was initially created as a clone of Bug #1371626 +++ DESCRIPTION OF PROBLEM: Due to configure arguments, non-root users cannot run nginx. Of course nginx has the user directive (http://nginx.org/en/docs/ngx_core_module.html#user) to configure worker process user & group but non-root users directly launching unprivileged nginx instances is a legitimate use-case that nginx is designed to support. Version-Release number of selected component (if applicable): nginx 1.8.1-1.el7 (or el6) HOW REPRODUCIBLE: Always STEPS TO REPRODUCE: 1. yum install rh-nginx18 2. Save minimal conf file from https://www.exratione.com/2014/03/running-nginx-as-a-non-root-user/ to /tmp/nginx.conf and then delete the mime.types line -- `sed -i /mime/d /tmp/nginx.conf` (Alternatively, download attached config which is the same) 3. Notice that the config appropriately resets pid & access_log & error_log and others to /tmp/xxx 4. Try executing as as non-root user useradd webperson su - webperson scl enable rh-nginx18 -- nginx -c /tmp/nginx.conf ACTUAL RESULTS: [webperson@a72 ~]$ scl enable rh-nginx18 -- nginx -c /tmp/nginx.conf nginx: [alert] could not open error log file: open() "/var/opt/rh/rh-nginx18/log/nginx/error.log" failed (13: Permission denied) 2016/08/30 23:16:25 [emerg] 2695#0: mkdir() "/var/opt/rh/rh-nginx18/lib/nginx/tmp/proxy" failed (13: Permission denied) EXPECTED RESULTS: nginx should start up, daemonize, spawn worker processes, and begin handling requests, having never tried to do open anything in /var/opt/rh. Should be able to see processes with `ps -FC nginx` or `lsof -c nginx`. ADDITIONAL INFO: The error_log option doesn't seem to be overriding the --error-log-path option as it should according to the nginx documentation (https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions). Same goes for the --http-proxy-temp-path option. Interestingly, if you run this same config as root and then look at lsof, no /var/opt/rh files are opened -- you can see the access & error logs open in /tmp, e.g.: ~~~ [root@a72 tmp]# scl enable rh-nginx18 -- nginx -c /tmp/nginx.conf [root@a72 tmp]# lsof -c nginx | egrep '/tmp|/opt' nginx 2895 root cwd DIR 253,0 4096 50331777 /tmp nginx 2895 root txt REG 253,0 2318776 18074163 /opt/rh/rh-nginx18/root/usr/sbin/nginx nginx 2895 root 2w REG 253,0 0 51325837 /tmp/error.log nginx 2895 root 4w REG 253,0 0 51325837 /tmp/error.log nginx 2895 root 5w REG 253,0 0 51325838 /tmp/access.log nginx 2896 nginx cwd DIR 253,0 4096 50331777 /tmp nginx 2896 nginx txt REG 253,0 2318776 18074163 /opt/rh/rh-nginx18/root/usr/sbin/nginx nginx 2896 nginx 2w REG 253,0 0 51325837 /tmp/error.log nginx 2896 nginx 4w REG 253,0 0 51325837 /tmp/error.log nginx 2896 nginx 5w REG 253,0 0 51325838 /tmp/access.log ~~~ Here is the nginx -V output: ~~~ [root@a72 tmp]# scl enable rh-nginx18 -- nginx -V nginx version: nginx/1.8.1 built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/opt/rh/rh-nginx18/root/usr/share/nginx --sbin-path=/opt/rh/rh-nginx18/root/usr/sbin/nginx --conf-path=/etc/opt/rh/rh-nginx18/nginx/nginx.conf --error-log-path=/var/opt/rh/rh-nginx18/log/nginx/error.log --http-log-path=/var/opt/rh/rh-nginx18/log/nginx/access.log --http-client-body-temp-path=/var/opt/rh/rh-nginx18/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/opt/rh/rh-nginx18/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/opt/rh/rh-nginx18/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/opt/rh/rh-nginx18/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/opt/rh/rh-nginx18/lib/nginx/tmp/scgi --pid-path=/var/opt/rh/rh-nginx18/run/nginx/nginx.pid --lock-path=/var/opt/rh/rh-nginx18/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-pcre --add-module=./passenger-4.0.50/ext/nginx --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' ~~~
Red Hat does not currently plan to provide any further changes to this collection in a Red Hat Software Collections update release. This software collection is nearing the retirement date (November 2018) after which customers are encouraged to upgrade to a later release. Please contact Red Hat Support if you have further questions, or refer to the support lifecycle page for more information. https://access.redhat.com/support/policy/updates/rhscl/
In accordance with the Red Hat Software Collections Product Life Cycle, the support period for this collection has ended. New bug fix, enhancement, and security errata updates, as well as technical support services will no longer be made available for this collection. Customers are encouraged to upgrade to a later release. Please contact Red Hat Support if you have further questions, or refer to the support lifecycle page for more information. https://access.redhat.com/support/policy/updates/rhscl/