File Upload Permissions Issues

Maxim Dounin mdounin at mdounin.ru
Wed Jun 27 02:51:48 UTC 2018 

Hello!

On Tue, Jun 26, 2018 at 04:56:55PM -0400, VP Lists wrote:

> I’m having a problem uploading any files of any significant size to a test site on my workstation.
> 
> 2018/06/26 16:50:20 [crit] 36196#0: *1099 open() "/usr/local/var/run/nginx/client_body_temp/0000000018" failed (13: Permission denied), client: 127.0.0.1, server: pass1.local, request: "POST /upload HTTP/1.1", host: "pass1.local:8080", referrer: "http://pass1.local:8080/upload"

The error message speaks for itself: nginx has no permissions to 
write temporary files to the directory it was configured to write 
temporary files to.  You have to fix this.

[...]

> My nginx.conf has no set ‘user’

This means that nginx will use the default user for worker 
processes as long as it is started as root.  Usually this is 
nobody:nogroup, or whatever is set via configure arguments (see 
"nginx -V").

> and here are the permissions set on the temp file upload folder for nginx:
> 
> $ ll /usr/local/var/run/nginx/
> drwxr-xr-x  7 rich    admin   238B Dec  8  2016 .
> drwxr-xr-x  4 rich    admin   136B Jun 19 15:19 ..
> drwx------  2 nobody  admin    68B Dec  8  2016 client_body_temp

You have to check all path compontents.  That is, check that nginx 
has at least "x" on "/", "/usr", "/usr/local", "/usr/local/var", 
"/usr/local/var/run".

Additionally, if you have SELinux or equivalent enabled, you 
should check it as well.

> I have 4 workers owned by nobody:admin, and nginx is run as 
> default, as root:admin.
> 
> Now this topic of permissions and “what user should run nginx” 
> has come up before.  Some say run as root, others say not.  It’s 
> my workstation, so it doesn’t really matter.  It’s my dev box.  
> The issue comes down to production.  
> 
> Is there one way all of this should be run without the worried 
> security devs out there from losing it?  Since I’m here at 
> another security issue with who runs what, maybe it’s a good 
> time to get a consensus on how all this should be set up.  

You should never run nginx worker processes as root unless you 
understand what you are doing and possible consequences.

On the other hand, nginx master process can't do many required 
things - like binding to port 80 - without being root.  As such, 
you have to run nginx itself (that is, nginx master process) as 
root.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list