Opened 11 years ago
Last modified 14 months ago
#376 accepted enhancement
Inconsistent log file handling — at Initial Version
| Reported by: | Tiziano Müller | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | |
| Keywords: | Cc: | ||
| uname -a: | Linux storm 3.9.0-gentoo #1 SMP PREEMPT Tue May 7 21:57:22 CEST 2013 x86_64 Intel(R) Core(TM) i7 CPU Q 820 @ 1.73GHz GenuineIntel GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.4.1
TLS SNI support enabled configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --with-cc-opt=-I/usr/include --with-ld-opt=-L/usr/lib --http-log-path=/var/log/nginx/access_log --http-client-body-temp-path=//var/lib/nginx/tmp/client --http-proxy-temp-path=//var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=//var/lib/nginx/tmp/fastcgi --http-scgi-temp-path=//var/lib/nginx/tmp/scgi --http-uwsgi-temp-path=//var/lib/nginx/tmp/uwsgi --with-file-aio --with-aio_module --with-debug --with-ipv6 --with-pcre --with-pcre-jit --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/nginx_syslog_patch-0.25 --with-http_addition_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_perl_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_spdy_module --with-http_stub_status_module --with-http_sub_module --with-http_xslt_module --with-http_realip_module --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/nginx-upload-progress-module-0.9.0 --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/headers-more-nginx-module-0.20 --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/nginx_http_push_module-0.692 --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/ngx_cache_purge-2.1 --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/ngx_slowfs_cache-1.10 --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/ngx-fancyindex-fd3950172a9e6595ad9ec68c11600e2afe6a2674 --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/ngx_devel_kit-0.2.18 --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/lua-nginx-module-0.8.1 --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/nginx_upstream_check_module-99f39394f387211641a1668d61faf2d5186ea1f5 --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/ngx_metrics-0.1.1 --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/naxsi-core-0.50/naxsi_src --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/nginx-rtmp-module-0.9.20 --add-module=/var/tmp/paludis/www-servers-nginx-1.4.1-r5/work/nginx-dav-ext-module-0.0.2 --with-http_ssl_module --with-mail --with-mail_ssl_module --user=nginx --group=nginx |
||
Description
When starting nginx all the log files (error_log, access_log) are created and opened by the master process and the filehandles passed to the worker while forking.
On SIGUSR1 the master reopens the files, chown's them and then the worker reopens the files himself. This has several drawbacks:
- It is inconsistent behaviour and rather surprising (sudden change of ownership upon signal). If you really want to do it this way you should chown the files from the very beginning.
- It permits the unprivileged nginx user read and write access to the current log files which is bad from the security perspective since the unprivileged user also needs to be able to change into/read the log directory
A better solution may be to reopen the log files in the master process as currently done and then use the already available ngx_{read,write}_channel functions to pass the new filehandles down to the worker.
Note:
See TracTickets
for help on using tickets.
