Opened 10 days ago

Closed 9 days ago

#2417 closed defect (invalid)

nginx temp file Directory permissions change

Reported by: yjlr.jia@… Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.20.x
Keywords: Cc: yjlr.jia@…
uname -a: Linux activemq 5.4.109-1.el7.elrepo.x86_64 #1 SMP Mon Mar 29 10:03:34 EDT 2021 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.20.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx1.20 --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module

Description

when I start nginx use “ultiamtech” user,

[ultimatech@activemq nginx]$ pwd
/usr/local/nginx
[ultimatech@activemq nginx]$ ls -lt
总用量 4
drwxr-xr-x 2 ultimatech ultimatech 333 11月 23 10:32 conf
drwxr-xr-x 2 ultimatech ultimatech 58 11月 23 10:28 logs
drwxr-xr-x 2 ultimatech ultimatech 32 11月 23 10:28 sbin
-rw-rw-r-- 1 ultimatech ultimatech 307 11月 23 09:56 1.txt
drwx------ 2 ultimatech ultimatech 6 11月 22 18:40 client_body_temp
drwx------ 2 ultimatech ultimatech 6 11月 22 18:40 fastcgi_temp
drwx------ 2 ultimatech ultimatech 6 11月 22 18:40 proxy_temp
drwx------ 2 ultimatech ultimatech 6 11月 22 18:40 scgi_temp
drwx------ 2 ultimatech ultimatech 6 11月 22 18:40 uwsgi_temp
drwxr-xr-x 2 ultimatech ultimatech 40 11月 22 18:40 html
[ultimatech@activemq nginx]$ sbin/nginx -v
nginx version: nginx/1.22.1
[ultimatech@activemq nginx]$
[ultimatech@activemq nginx]$ sbin/nginx
[ultimatech@activemq nginx]$ ps -ef|grep nginx
ultimat+ 54881 1 0 10:58 ? 00:00:00 nginx: master process sbin/nginx
ultimat+ 54882 54881 0 10:58 ? 00:00:00 nginx: worker process
ultimat+ 54885 54608 0 10:59 pts/2 00:00:00 grep --color=auto nginx

we find the directory *_temp owner is : ultiamtech
but when we use "root" user ,exec command: "nginx -t" , the file directory *_temp : owner change ,directory owner is : nobody ,like this:
[root@activemq nginx]# pwd
/usr/local/nginx
[root@activemq nginx]# ls -lt
总用量 4
drwxr-xr-x 2 ultimatech ultimatech 58 11月 23 10:58 logs
drwxr-xr-x 2 ultimatech ultimatech 333 11月 23 10:58 conf
drwxr-xr-x 2 ultimatech ultimatech 32 11月 23 10:28 sbin
-rw-rw-r-- 1 ultimatech ultimatech 307 11月 23 09:56 1.txt
drwx------ 2 ultimatech ultimatech 6 11月 22 18:40 client_body_temp
drwx------ 2 ultimatech ultimatech 6 11月 22 18:40 fastcgi_temp
drwx------ 2 ultimatech ultimatech 6 11月 22 18:40 proxy_temp
drwx------ 2 ultimatech ultimatech 6 11月 22 18:40 scgi_temp
drwx------ 2 ultimatech ultimatech 6 11月 22 18:40 uwsgi_temp
drwxr-xr-x 2 ultimatech ultimatech 40 11月 22 18:40 html
[root@activemq nginx]# sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@activemq nginx]# ls -lt
总用量 4
drwxr-xr-x 2 ultimatech ultimatech 58 11月 23 10:58 logs
drwxr-xr-x 2 ultimatech ultimatech 333 11月 23 10:58 conf
drwxr-xr-x 2 ultimatech ultimatech 32 11月 23 10:28 sbin
-rw-rw-r-- 1 ultimatech ultimatech 307 11月 23 09:56 1.txt
drwx------ 2 nobody ultimatech 6 11月 22 18:40 client_body_temp
drwx------ 2 nobody ultimatech 6 11月 22 18:40 fastcgi_temp
drwx------ 2 nobody ultimatech 6 11月 22 18:40 proxy_temp
drwx------ 2 nobody ultimatech 6 11月 22 18:40 scgi_temp
drwx------ 2 nobody ultimatech 6 11月 22 18:40 uwsgi_temp
drwxr-xr-x 2 ultimatech ultimatech 40 11月 22 18:40 html

I find the souce code :
ngx_file.c
ngx_int_t
ngx_create_paths(ngx_cycle_t *cycle, ngx_uid_t user){

if (user == (ngx_uid_t) NGX_CONF_UNSET_UINT) {

ngx_log_stderr(0, "nginx create paths start continue ");
continue;

}

if (fi.st_uid != user) { user config define user : start user: ultimatech ,default :nobody

if (chown((const char *) path[i]->name.data, user, -1) == -1) {

ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,

"chown(\"%s\", %d) failed",
path[i]->name.data, user);

return NGX_ERROR;

}

}

}

Why is there a "chown" operation? the chown() function cat be remove???

Change History (1)

comment:1 by Maxim Dounin, 9 days ago

Resolution: invalid
Status: newclosed

When starting or testing configuration, nginx ensures that directories specified in the configuration can be written by nginx worker processes: creates these directories, and does chown() and chmod() if appropriate. If you don't want this to happen, avoid running nginx under wrong user / with incorrect user in the configuration.

Note: See TracTickets for help on using tickets.