Remove root from NGINX

Today I found that various developers run NGINX pretty default, which means the master process runs as root. In OPS this is a no-no and it doesnt matter the workers run as a different user.

Even though processes are pretty good sandboxes, in most cases processes stay ‘linked’ using IPC (Interprocess communications, http://tldp.org/LDP/lpg/node7.html). Running any child linked to a process that runs as root ‘might’ create an exploitable bridge (chance is very small, but there).

Because of this its better to be save then sorry. On top of that, the changes needed to make NGINX run as any other user are few and simple.

In the examples below we are using a Oracle Linux (RHEL) 7.4

Here is what is needed:

  1. Create a dedicated user and group called nginx (if not available already)
    useradd -G nginx nginx
  2. Allow the NGINX proces to bind on a network port below 1024.
    setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/nginx
  3. Allow nginx to write to the nginx logdir
    chown nginx:nginx -R /var/log/nginx

    tip: remove old logs when your at it

  4. Allow nginx to read the configuration
    chown nginx:nginx -R /etc/nginx/
  5. Allow nginx to create a pidfile
    mkdir /var/run/nginx
    chown nginx:nginx /var/run/nginx[/code</pre>
    </li>
    	<li>Alter the nginx service definition to use the nginx user and group and redirect the service to the correct pidfile. Add or alter the markings in the image below.
     vi /usr/lib/systemd/system/nginx.service

    2018-04-19 14_08_12-root@localhost__var_log_nginx

  6. Alter the nginx.conf file to match the configuration.
     vi /etc/nginx/nginx.conf

    2018-04-19 14_14_36-root@localhost__var_log_nginx

  7. TIP: Is you use certificates in nginx, make sure they reside in a path where the nginx user or group can access them. We tend to create a cert directory in the /etc/nginx/ directory and store them there.
  8. Finally, start the nginx server.
    systemctl enable enginx
    systemctl start nginx

Good luck running Nginx as ..... nginx!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s