[Pkg-nginx-maintainers] Bug#980970: nginx: Owner for /var/log/nginx/*.log should be root and not www-data
Samuel Bizien Filippi
samuel at bizien.info
Tue Feb 9 19:43:36 GMT 2021
Dear maintainers,
After some experiments and research, I found this undocumented hack
that allow to socket-activate nginx :
https://freedesktop.org/wiki/Software/systemd/DaemonSocketActivation/#nginx
This makes possible to run nginx as a standard user (www-data is a good
candidate in this case), but it breaks reloads (ExecReload) and pre-
flight check (ExecStartPre). It can still be a good move for security
reasons : you remove all privileges from nginx process, can drop all
capabilities and can even jail nginx with "PrivateNetwork=true" systemd
option (no access to network).
In this situation, it's a good thing that
/var/log/nginx/{access,error}.log are owned by www-data by default,
since you don't havec to chown them before "jailing" nginx with
systemd.
Conclusion ? Changing owner for root for these log files may not be
helpful for lots of people :
- for people using default configuration, it works anyway
- for people hardening nginx with systemd (dropping capabilities,
running as user ...), log files owned by www-data make it easier to
work with.
So maybe this bug could be closed.
Thanks a lot,
Samuel Bizien Filippi.
More information about the Pkg-nginx-maintainers
mailing list