Run nginx as a non-root user

Question

I followed this process to installing nginx on my Ubuntu 10.04 Lucid Server http://library.linode.com/web-servers/nginx/installation/ubuntu-10.04-lucid

I got lost after the point of creating an init script to start nginx, and then calling /etc/init.d/nginx start. When I did that, I got the following error:

Starting nginx_main: Starting /opt/nginx/sbin/nginx...
nginx: [alert] could not open error log file: open() "/opt/nginx/logs/error.log" failed (13: Permission denied)
2012/03/16 18:17:27 [emerg] 859#0: open() "/opt/nginx/logs/access.log" failed (13: Permission denied)

The only way I can run it is if I use sudo and it runs the process as root, which is what I don't want.

I've chown'd the entire directory (chown -R nginx:nginx /opt/nginx) and I've also chmod -R 755 the directory as well.

Adding the user directive as suggested by CS3 also gives me this error, but with an additional line.

Starting nginx_main: Starting /opt/nginx/sbin/nginx...
nginx: [alert] could not open error log file: open() "/opt/nginx/logs/error.log" failed (13: Permission denied)
2012/03/16 18:48:34 [warn] 1606#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /opt/nginx/conf/nginx.conf:2
2012/03/16 18:48:34 [emerg] 1606#0: open() "/opt/nginx/logs/access.log" failed (13: Permission denied)

Any ideas?

`and I've also chmod -R 755 the directory as well` Keep doing this and you'll pay a price for it eventually. It's scary to witness how many people there are on the internet suggesting this as a first port of call to "fix" any problem. Unix won't give friendly feedback if you do something moronic. — , Jul 10 '13 at 20:44
If you got same error on **Nginx in Kubernetes**, try to use `bitnami/nginx` image, it is rootless! See more details here: https://github.com/openshift/openshift-docs/issues/1533 — Noam Manos, Apr 22 '20 at 20:35

score 10 · Accepted Answer · answered Mar 16 '12 at 05:58

10

First of all, init scripts are supposed to be run

sudo /etc/init.d/name

when you are not logged in as root( when logged-in user is sudo enabled)

Secondly, when you run sudo /etc/init.d/nginx start ==> it fires the master nginx process as root and worker processes as the user you specified in your nginx.conf user directive(eg. www-data)

Can you confirm if all your process under nginx as being run by root when issuing sudo /etc/init.d/nginx start ?

with

ps aux | grep [n]ginx

eg.

enter image description here

Suggestion: Ubuntu 10.04 LTS has excellent ubuntu package support from nginx team. So, why bother installing from source if you do not have requirement for custom module inside nginx ?

Consult here

The binary package already comes with pretty much needed modules

nginx version: nginx/1.0.12
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.0.12/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.0.12/debian/modules/nginx-upstream-fair

answered Mar 16 '12 at 05:58

kaji

2,510
16
17

The worker process I have has an ID, not a name. Any chance that's the nginx user ID? I'm pretty new to Ubuntu. I didn't know the apt package had all these flags turned on. How'd you find that out? – John Mar 16 '12 at 08:34
have you checked if the user you specified in your nginx.conf exist or not ? Official repo does not have this Nginx ! Please use PPA from specified URL – kaji Mar 16 '12 at 09:04
I used a different username which is longer than the 8 character limit. That's why the User ID is being shown, right? – John Mar 16 '12 at 09:21
yeah that is one scenario – kaji Mar 16 '12 at 11:35
Yeah, I just checked /etc/passwd and that's the nginx user's ID. Thanks for the help. I still couldn't find where you found the compile options for the apt package. I checked PPA but I don't know what I'm looking for. Could you help me out? – John Mar 16 '12 at 23:39
the compilation flags came with it. What i meant was the most needed things are already compiled into PPA Nginx – kaji Mar 17 '12 at 01:49
Thanks, Kaji. Yes, I understood that. I was just wondering where I could find those compilation flags were being used - just for reference sake. – John Mar 17 '12 at 02:08
I am not using all of them :) actually only using bunch of them. This is the problem with binary packages that you need to keep even unneeded stuff from original packager. Find out which module does what from here http://wiki.nginx.org/Modules – kaji Mar 17 '12 at 02:21
Awesome. Thanks Kaji. :) How did you find out which modules were being included by the apt package? For example, SSL is an optional module, and what you listed above shows that the apt package includes it. To get to the point, where did you find that string of `configure arguments`? – John Mar 17 '12 at 04:20
1

nginx -V is your answer – kaji Mar 17 '12 at 04:25
let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/2804/discussion-between-john-and-kaji) – John Mar 17 '12 at 04:41

score 2 · Answer 2 · answered Mar 16 '12 at 05:26

2

Add the user directive inside nginx.conf

Reference: http://wiki.nginx.org/CoreModule#user

answered Mar 16 '12 at 05:26

Shyam Sundar C S

1,063
8
12

1

Sorry, could you be more specific? I've done that already to no avail. – John Mar 16 '12 at 05:42
Running anything between ports 1 to 1024 requires root privileges. User directive ensures that nginx runs as non root user for secruity reasons. – Shyam Sundar C S Mar 16 '12 at 06:06
Also, for the logs to be opened and written, nginx directory should be chown'd to user from which you are trying to run. – Shyam Sundar C S Mar 16 '12 at 06:23

score 1 · Answer 3 · answered Jul 19 '15 at 10:07

1

My 5 kopek regarding this

nginx -V 2>&1 | sed 's/ --/\n--/g' | grep path

.. will get you all other pathes, that you should override in custom provided config or with "-g" option.

answered Jul 19 '15 at 10:07

gaRex

386
3
6

The following command shows all lines from the output, and highlights those containing the term 'path': `nginx -V 2>&1 | sed 's/ --/\n--/g' | egrep --color '.*path.*|$'` – isedwards Mar 13 '17 at 14:20

score 0 · Answer 4 · answered Sep 14 '22 at 11:29

I met the same problem when trying to build a docker file

Just like on @kaji's screen my master process is owned by root and the child processes owned by www-data

It seems wrong to me but adding root to the www-data seems to have resolved the issue, it doubt very much this is best practice so I'll do a bit more research

sudo -E usermod -aG www-data root && newgrp www-data

score 0 · Answer 5 · answered Jun 18 '17 at 18:01

0

In my case there was a file reference missing in my nginx.conf:

error_log /var/log/nginx/error.log warn;

Became: error_log warn;

So I accidentaly deleted /var/log/nginx/error.log reference which caused a the permission denied error message.

answered Jun 18 '17 at 18:01

ilker

1

Run nginx as a non-root user

5 Answers5

Linked