Today I found that various developers run NGINX pretty default, which means the master process runs as root. In OPS this is a no-no and it doesnt matter the workers run as a different user.
Even though processes are pretty good sandboxes, in most cases processes stay ‘linked’ using IPC (Interprocess communications, http://tldp.org/LDP/lpg/node7.html). Running any child linked to a process that runs as root ‘might’ create an exploitable bridge (chance is very small, but there).
Because of this its better to be save then sorry. On top of that, the changes needed to make NGINX run as any other user are few and simple.
In the examples below we are using a Oracle Linux (RHEL) 7.4
Here is what is needed:
- Create a dedicated user and group called nginx (if not available already)
useradd -G nginx nginx
- Allow the NGINX proces to bind on a network port below 1024.
setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/nginx
- Allow nginx to write to the nginx logdir
chown nginx:nginx -R /var/log/nginx
tip: remove old logs when your at it
- Allow nginx to read the configuration
chown nginx:nginx -R /etc/nginx/
- Allow nginx to create a pidfile
chown nginx:nginx /var/run/nginx[/code</pre> </li> <li>Alter the nginx service definition to use the nginx user and group and redirect the service to the correct pidfile. Add or alter the markings in the image below. vi /usr/lib/systemd/system/nginx.service
- Alter the nginx.conf file to match the configuration.
- TIP: Is you use certificates in nginx, make sure they reside in a path where the nginx user or group can access them. We tend to create a cert directory in the /etc/nginx/ directory and store them there.
- Finally, start the nginx server.
systemctl enable enginx
systemctl start nginx
Good luck running Nginx as ..... nginx!