11

i've just installed nginx on an Archlinux box and encounter this problem:

Nginx is configured to run as "nginx", a new user/group that I added, in /etc/nginx/nginx.conf:

user nginx nginx;

For doublecheck:

$ ps aux | grep nginx
nginx     9678  0.0  0.5  28472  2856 ?        S    17:37   0:00 nginx: worker process
nginx     9679  0.0  0.5  28472  2856 ?        S    17:37   0:00 nginx: worker process
root     31912  0.0  0.6  28084  3364 ?        Ss   17:24   0:00 nginx: master process /usr/bin/nginx -g pid /run/nginx.pid; error_log stderr;

The root of the server is at:

    location / {
            root   /home/lamnk/sites/host.com;
            index  index.html index.htm;
    }

and the owner of the file is set to nginx too:

$ ls -la /home/lamnk/sites/host.com                                         
total 12
drwxr-xr-x 2 lamnk http  4096 Jan 12 09:37 .
drwxr-xr-x 3 lamnk users 4096 Jan 12 09:36 ..
-rw-r--r-- 1 nginx nginx   21 Jan 12 09:37 index.html

When I go to host.com, I got the 403 forbidden error. In the error.log:

2016/01/12 17:28:23 [error] 31914#0: *2 open() "/home/lamnk/sites/host.com/index.html" failed (13: Permission denied), client: 171.233.242.40, server: host.com, request: "GET /index.html HTTP/1.1", host: "host.com"

But when I change nginx to run as my own username lamnk, then nginx can return the content correctly, without any other changes in file permission. What gives??

EDIT: the permissions on parent directories:

$ namei -l /home/lamnk/sites/host.com
f: /home/lamnk/sites/host.com
drwxr-xr-x root  root  /
drwxr-xr-x root  root  home
drwx------ lamnk users lamnk
drwxr-xr-x lamnk users sites
drwxr-xr-x lamnk http  host.com
Lamnk
  • 1,075
  • 3
  • 11
  • 17

1 Answers1

20

The nginx user is not able to traverse the filesystem to reach the folder where you have placed your site. A user must have the execute (+x) permission on a folder in order to be able to traverse it. From your permission information, drwx------ lamnk users lmank shows that only the directory's owner has the right to read, write, and execute on the folder. Therefore, nginx cannot access that folder or any subfolders thereof unless it is run as that user.

You should grant execute rights on /home/lamnk with chmod og+x /home/lamnk so that users other than yourself are allowed to traverse the folder. Without read rights, they still cannot list or read the contents of that folder, and without write rights they cannot make any changes to the contents; so there is no security risk to this, and it is necessary if you want to have subfolders of your home directory which are visible to other users, such as the nginx user. The mask you're looking to see on that folder would be drwx--x--x.

Carcer
  • 919
  • 5
  • 12
  • I've added the permissions setting on parent directories in my question. But it still doesn't explain why nginx runs fine under my user `lamnk`, and does not under its own user `nginx` ? – Lamnk Jan 12 '16 at 18:09
  • 2
    only the user lamnk is allowed to go into your home directory. you have to make sure nginx is allowed to read and execute /home/lank – Sven Jan 12 '16 at 18:16
  • 1
    Yes, it does. Your permissions show that only your user has the right to do anything in /home/lamnk. You will need to give nginx execute rights to that directory in order that it can access subfolders. I was incorrect when I first said it needed read rights; nginx only needs to be able to execute on the folder to be able to traverse it. Read rights are only necessary on the files you actually want to serve. – Carcer Jan 12 '16 at 18:17
  • 1
    So we're clear, to state it explicitly, when you run nginx as lamnk, it has the execute right on /home/lamnk so it can traverse that directory without issue. When you run it as nginx, it does not have the necessary permission (as only lamnk is allowed to execute on /home/lamnk) and therefore it fails. Give the nginx user execute on /home/lamnk, i.e. with `chmod o+x /home/lamnk`, and it will be able to traverse the directory, and therefore your site will start working. – Carcer Jan 12 '16 at 18:29
  • I have rewritten my answer to hopefully be somewhat clearer and more complete now we know what the issue is. – Carcer Jan 12 '16 at 18:40