Opened 5 years ago

Closed 8 weeks ago

#698 closed enhancement (wontfix)

Add an option to proxy_cache_path that allows to set group permissions

Reported by: Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.6.x
Keywords: proxy, cache, access, permissions Cc:
uname -a: Linux proxy4 3.13.0-44-generic #73-Ubuntu SMP Tue Dec 16 00:22:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.6.2
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/ --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.6.2/debian/modules/headers-more-nginx-module --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-cache-purge --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-development-kit --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.6.2/debian/modules/ngx-fancyindex --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-http-push --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-lua --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-upload-progress --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.6.2/debian/modules/ngx_http_substitutions_filter_module


We use rsync over ssh here to sync the cache contents of several equally configured proxies between each other.

We would like to use a dedicated user to do this synchronization (not www-data itself, but a user that is in the www-data group), but we cannot do that cleanly, as nginx creates all the files and directories without permission for the group and also removes the group write permission of the top level cache directory, even if I created it manually with that permission in beforehand:

# find . -ls | head -n 10
780623    4 drwxr-s---  18 www-data www-data     4096 Nov 19 10:17 .
780466    4 drwx--S--- 153 www-data www-data     4096 Dez 16 13:24 ./7
133728    4 drwx--S---   2 www-data www-data     4096 Dez 23 10:06 ./7/7a
136474    8 -rw-------   1 www-data www-data     5513 Nov 29 21:45 ./7/7a/03fc1fdb85e2af7774e7897295b517a7
132284    4 drwx--S---   2 www-data www-data     4096 Jan 16 08:34 ./7/5a
136405    8 -rw-------   1 www-data www-data     5963 Jan 16 08:34 ./7/5a/34a677247e238b33554204c70ba0d5a7
136409    8 -rw-------   1 www-data www-data     5626 Nov 25 05:30 ./7/5a/d5bae18f299754735ccb37b1588315a7
136407   16 -rw-------   1 www-data www-data    13921 Jan 11 15:08 ./7/5a/4b537fa48a610be5de370ed0224365a7
261924    4 drwx--S---   2 www-data www-data     4096 Jan 15 15:38 ./7/af
269642   76 -rw-------   1 www-data www-data    74393 Jan  7 18:08 ./7/af/3e88a64b4e851c1d4558aeb6becf0af7

There are several possible workarounds, neither of which we consider clean solutions: Using www-data directly to sync the cache forces us to give www-data a valid login shell to satisfy ssh (instead, we would like to disable login for www-data completely and just give the synchronization user a login shell). Also, we could probably set up some ACLs to enforce access for the synchronization user, but we would rather keep it clean and simple and just use vanilla group membership.

As nginx already has some way to specify permissions of created files and directories, just for a different feature (proxy_store_access), we think it shouldn't be too much effort to give us that possibility for the proxy cache as well.

Niels Böhm

Change History (4)

comment:1 by Krzysztof Grzadziel, 5 years ago

I have already patch for that for nginx 1.7.9. It introduces new optional variables (file_access_rights and path_access_rights) to proxy_cache_path, fastcgi_cache_path and I believe to other *_cache_path variables.

Example usage in proxy_cache_path directive:
proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=NAME2:1m file_access_rights=0666 path_access_rights=0711;

comment:2 by dmnc@…, 5 months ago

I would very much welcome this change if the patch is revivable.

My scenario is this:

  • We use www-data user for nginx and php-fpm which can only write to very specific parts of the filesystem.
  • We use a different user (in the www-data group) to create deployments which has access to change the entire webroot.
  • We'd like to give the deployment user the ability to clear out the fastcgi_cache on deploy.

Being able to give group access to the contents of the cache would make this easy but right now we are having to do some ugliness to get the www-data user to do the clear rather than the deployer.

comment:3 by Krzysztof Grządziel, 2 months ago

Hi, I revived patch. You can review it here

Docs need to be updated and probably tests that covers new option should be added.

comment:4 by Maxim Dounin, 8 weeks ago

Resolution: wontfix
Status: newclosed

Permissions are set on the cache directory and files in a such way since general assumption behind the cache management in nginx is that the cache directory is managed by a single nginx instance. While trying to sync cache directory to different servers might work in some cases, this isn't something we can recommend as a generic approach.

Note: See TracTickets for help on using tickets.