Opened 6 years ago

Closed 6 years ago

#1686 closed defect (invalid)

Log files ownership

Reported by: https://stackoverflow.com/users/573152/bernard-rosset Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.14.x
Keywords: log Cc:
uname -a: Linux 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.14.2
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0f 25 May 2017 (running with OpenSSL 1.1.0j 20 Nov 2018)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.14.2/debian/debuild-base/nginx-1.14.2=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

On log rotation, nginx seems to process as documented: the log file is created as root, then ownership is changed to the user nginx is configured to run with and workers can then open file descriptors to it.

However, on startup or on reload (SIGHUP), thoss log files are created with ownership root:root.

It does not seem that worker processes, without a specific umask (standard files created with permissions 644), might be able to directly open file descriptors to log files.
Nonwithstanding, it seems logging runs well when log files are created as root:root.

It seems several points are unclear:

  1. How come log files are not create with the user nginx is configured to run with when those log files are created on startup or reload (SIGHUP)?
  2. How is logging working when files created in those conditions cannot be written to by userspace processes such as nginx workers?

Change History (1)

comment:1 by Maxim Dounin, 6 years ago

Resolution: invalid
Status: newclosed

On startup and on reload, log files are opened by the master process and relevant file descriptors are inherited though fork() into worker processes. As such, worker processes do not need any additional permissions to write to these files.

For further questions on how nginx works, please use support options available. Asking questions in Trac is discouraged, it is to track bugs, not to ask questions.

Note: See TracTickets for help on using tickets.