Opened 4 years ago

Closed 4 years ago

#1898 closed defect (duplicate)

Owner of directories *_temp changed when tested config

Reported by: Maxim Kozin Owned by:
Priority: minor Milestone:
Component: other Version: 1.17.x
Keywords: Cc:
uname -a: Linux b6a22a760398 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.17.6
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1c 28 May 2019 (running with OpenSSL 1.1.1d 10 Sep 2019)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.17.6/debian/debuild-base/nginx-1.17.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

Nginx started in docker as:

root@b6a22a760398:/# ps axuww
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.5  10628  5504 pts/0    Ss+  13:59   0:00 nginx: master process nginx -g daemon off;
nginx        6  0.0  0.2  11084  2568 pts/0    S+   13:59   0:00 nginx: worker process

All _temp dirs created on start and owned nginx:

root@b6a22a760398:/# ls -la /var/cache/nginx/
total 28
drwxr-xr-x 1 root  root 4096 Dec  7 14:06 .
drwxr-xr-x 1 root  root 4096 Nov 23 01:12 ..
drwx------ 2 nginx root 4096 Dec  7 14:06 client_temp
drwx------ 2 nginx root 4096 Dec  7 14:06 fastcgi_temp
drwx------ 2 nginx root 4096 Dec  7 14:06 proxy_temp
drwx------ 2 nginx root 4096 Dec  7 14:06 scgi_temp
drwx------ 2 nginx root 4096 Dec  7 14:06 uwsgi_temp

1) Change user in config to any existed:

root@b6a22a760398:/# diff -uN  /etc/nginx/nginx.conf.ORIG /etc/nginx/nginx.conf
--- /etc/nginx/nginx.conf.ORIG 2019-12-07 14:12:53.076893000 +0000
+++ /etc/nginx/nginx.conf 2019-12-07 14:14:47.576010000 +0000
@@ -1,5 +1,5 @@

-user  nginx;
+user  irc;
 worker_processes  1;

 error_log  /var/log/nginx/error.log warn;

2) just checked config file or check and dumnp:

root@b6a22a760398:/# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@b6a22a760398:/# echo $?
0

3) We broken running nginx instance. Because owner of _temp dirs changed to new user and process still running as old user:

root@b6a22a760398:/# ls -la /var/cache/nginx/
total 28
drwxr-xr-x 1 root root 4096 Dec  7 14:06 .
drwxr-xr-x 1 root root 4096 Nov 23 01:12 ..
drwx------ 2 irc  root 4096 Dec  7 14:06 client_temp
drwx------ 2 irc  root 4096 Dec  7 14:06 fastcgi_temp
drwx------ 2 irc  root 4096 Dec  7 14:06 proxy_temp
drwx------ 2 irc  root 4096 Dec  7 14:06 scgi_temp
drwx------ 2 irc  root 4096 Dec  7 14:06 uwsgi_temp

root@b6a22a760398:/# ps axuww
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.5  10628  5504 pts/0    Ss+  13:59   0:00 nginx: master process nginx -g daemon off;
nginx        6  0.0  0.2  11084  2568 pts/0    S+   13:59   0:00 nginx: worker process

And it's may be delayed error. Only when post would be exceeded 8k, we will catch error "Permission denied /var/cache/nginx/client_temp".

Can fix in lazy way by add docs about such behavior.
Can fix with patch, see attachment. Because -t/-T means "test", not "test and fix according new config".

b.r.

Maxim Kozin

Attachments (1)

test_config_change_permissions_temp_dir.patch (424 bytes ) - added by Maxim Kozin 4 years ago.
patch prototype

Download all attachments as: .zip

Change History (2)

by Maxim Kozin, 4 years ago

patch prototype

comment:1 by Maxim Dounin, 4 years ago

Resolution: duplicate
Status: newclosed

Duplicate of #1791.

Note: See TracTickets for help on using tickets.