Opened 5 years ago

Last modified 5 years ago

#698 new enhancement

Add an option to proxy_cache_path that allows to set group permissions

Reported by: launchpad.net/~blubberdiblub Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.6.x
Keywords: proxy, cache, access, permissions Cc:
uname -a: Linux proxy4 3.13.0-44-generic #73-Ubuntu SMP Tue Dec 16 00:22:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.6.2 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.6.2/debian/modules/headers-more-nginx-module --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-cache-purge --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-development-kit --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.6.2/debian/modules/ngx-fancyindex --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-http-push --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-lua --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-upload-progress --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.6.2/debian/modules/ngx_http_substitutions_filter_module

Description

We use rsync over ssh here to sync the cache contents of several equally configured proxies between each other.

We would like to use a dedicated user to do this synchronization (not www-data itself, but a user that is in the www-data group), but we cannot do that cleanly, as nginx creates all the files and directories without permission for the group and also removes the group write permission of the top level cache directory, even if I created it manually with that permission in beforehand:

# find . -ls | head -n 10
780623    4 drwxr-s---  18 www-data www-data     4096 Nov 19 10:17 .
780466    4 drwx--S--- 153 www-data www-data     4096 Dez 16 13:24 ./7
133728    4 drwx--S---   2 www-data www-data     4096 Dez 23 10:06 ./7/7a
136474    8 -rw-------   1 www-data www-data     5513 Nov 29 21:45 ./7/7a/03fc1fdb85e2af7774e7897295b517a7
132284    4 drwx--S---   2 www-data www-data     4096 Jan 16 08:34 ./7/5a
136405    8 -rw-------   1 www-data www-data     5963 Jan 16 08:34 ./7/5a/34a677247e238b33554204c70ba0d5a7
136409    8 -rw-------   1 www-data www-data     5626 Nov 25 05:30 ./7/5a/d5bae18f299754735ccb37b1588315a7
136407   16 -rw-------   1 www-data www-data    13921 Jan 11 15:08 ./7/5a/4b537fa48a610be5de370ed0224365a7
261924    4 drwx--S---   2 www-data www-data     4096 Jan 15 15:38 ./7/af
269642   76 -rw-------   1 www-data www-data    74393 Jan  7 18:08 ./7/af/3e88a64b4e851c1d4558aeb6becf0af7

There are several possible workarounds, neither of which we consider clean solutions: Using www-data directly to sync the cache forces us to give www-data a valid login shell to satisfy ssh (instead, we would like to disable login for www-data completely and just give the synchronization user a login shell). Also, we could probably set up some ACLs to enforce access for the synchronization user, but we would rather keep it clean and simple and just use vanilla group membership.

As nginx already has some way to specify permissions of created files and directories, just for a different feature (proxy_store_access), we think it shouldn't be too much effort to give us that possibility for the proxy cache as well.

Regards,
Niels Böhm

Change History (1)

comment:1 Changed 5 years ago by www.google.com/accounts/o8/id?id=AItOawlI4lBEffe7e7Uic2DC4N9BxqsA7DO3lQE

I have already patch for that for nginx 1.7.9. It introduces new optional variables (file_access_rights and path_access_rights) to proxy_cache_path, fastcgi_cache_path and I believe to other *_cache_path variables.

Example usage in proxy_cache_path directive:
proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=NAME2:1m file_access_rights=0666 path_access_rights=0711;

Note: See TracTickets for help on using tickets.