# nginx Permissions Clarification



## daBee (Apr 30, 2018)

Hi folks.  

My workstation is a Mac (El Capitan), and I have a FreeBSD box on version 11.1 Release, running nginx on both.  Both have the user commented out, yet I continue to get errors on the following commands on the FreeBSD box:


```
$ nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
$ nginx -s reload
nginx: [alert] kill(639, 1) failed (1: Operation not permitted)
```

nginx.pid is owned by root/wheel.  

So I'm confused again, as I have been in the past.  The maintainer for nginx did not reply to me on this.  I submitted it personally, never got an answer.  I think this is important as it's a root / user permissions issue on a major app.  I'm thinking I'm missing something, and it's just me.  But I'm still confused.  I have no errors on my Mac workstation.  

Can someone please shed some light on where I'm going wrong?  Any insight appreciated. 

Cheers


----------



## SirDice (Apr 30, 2018)

Remove the PID file and remove the `pid =` line from nginx.conf.


----------



## daBee (Apr 30, 2018)

pid file already commented out.  Removing it did nothing.  Then I tried the following:


```
[Mon Apr 30 11:53:29 adminuser@serverbox /var/run] nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
[Mon Apr 30 11:53:41 adminuser@serverbox /var/run] sudo nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
```


----------



## SirDice (Apr 30, 2018)

Use `service nginx start` to start it. Note that the rc(8) script checks the config before starting the server. If you just want to check the config, use `service nginx configtest`


----------



## daBee (Apr 30, 2018)

Oh it's running.  It's always been running.  That's not the issue.  These errors are the issue.  It's serving fine.  `/var/run/nginx.pid` has been recreated, and serving fine.  The admin commands provided, just keep giving me errors and I want to finally get a green light before moving on.

Sorry...furthermore...


```
[Mon Apr 30 12:01:07 adminuser@serverbox /var/run] service nginx configtest
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
```

edit, FYI, while the service is indeed running:


```
[Mon Apr 30 12:06:59 adminuser@serverbox /var/run] service nginx reload
nginx not running? (check /var/run/nginx.pid).
```


----------



## SirDice (Apr 30, 2018)

The reason it's giving you errors is because you're running the tests as a regular user. The pid is root owned and I suspect part of the test is to see if the pid file is writable (which only root is allowed to do).

Just use this: 

```
root@armitage:~ # service nginx configtest
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
```


----------



## daBee (Apr 30, 2018)

OK, this sounds good.  I thought because it's running as non-root, that it would not barf at me trying to do those tests.  I would have thought that the maintainer (or the nginx people) would think that the "run as root" vs "pid view needs root" and figured that out.  

I've updated my last post, as the test you give, works for me on my Mac box.  FreeBSD gives me permissions errors as this user (admin) can't force the test to run as root without sudo.  Hence confusing.  Two different models.


----------



## daBee (Apr 30, 2018)

Even more confusing:


```
[Mon Apr 30 12:13:40 adminuser@serverbox /var/run] service nginx status
nginx is not running.
```


----------



## drhowarddrfine (May 1, 2018)

To be clear, nginx must run as root. Are you doing that? I'm confused by your posts.


----------



## SirDice (May 1, 2018)

Yes, it's good to stress this. All services are started as root but a lot of services will lower their privileges once started. A good example is this case, nginx is started as root but as soon as the ports have been opened, pidfile written, log files opened etc, will drop its privileges to the www user. Webservers typically must be started as root because only root can open (network) ports below 1024.


----------



## daBee (May 1, 2018)

drhowarddrfine said:


> To be clear, nginx must run as root. Are you doing that? I'm confused by your posts.



I have been told numerous times that I should never run nginx as root.  I personally don't mind running it as root or not.  I just want some clarity.


----------



## daBee (May 1, 2018)

SirDice said:


> Yes, it's good to stress this. All services are started as root but a lot of services will lower their privileges once started. A good example is this case, nginx is started as root but as soon as the ports have been opened, pidfile written, log files opened etc, will drop its privileges to the www user. Webservers typically must be started as root because only root can open (network) ports below 1024.



Ah that makes sense.  I'll give it a whirl today with root in the conf.


----------



## joneum@ (May 1, 2018)

daBee said:


> Hi folks.
> 
> [..]
> 
> So I'm confused again, as I have been in the past.  The maintainer for nginx did not reply to me on this.  I submitted it personally, never got an answer. [..]



When did you send me an email? It is always better to ask here in the forum. Or to open a PR


----------



## daBee (May 1, 2018)

Months ago.  I was told they would get back to me.  I replied a couple of weeks later, with no reply.


----------



## SirDice (May 1, 2018)

daBee said:


> I'll give it a whirl today with root in the conf.


No, that would be a bad idea as this will make it run as root for _everything_ and this is considered a huge security risk. You _start_ the thing as root but it actually runs on the www account. So don't make those changes, leave this as-is (it does the right thing by default).


----------



## daBee (May 1, 2018)

So I'm right back at the very beginning.  So what do I do?  I keep getting conflicting information.  Second, if it's in the proper configuration, why would `nginx -t` fail without using `sudo`?


----------



## SirDice (May 1, 2018)

You _start_ the service as root: `service nginx start`. But once it's started privileges will be dropped to www. Setting the `user` inside nginx.conf isn't needed, that option is given as a parameter by the rc(8) script that starts the service. Privileges are dropped _after_ nginx has opened the pidfile, logfiles and ports.  



daBee said:


> Second, if it's in the proper configuration, why would `nginx -t` fail without using `sudo`?


Because the test tries to open the pidfile for writing and only root is allowed to do that.


----------



## daBee (May 1, 2018)

Yes, understood.  That is a continuity issue with how it's supposed to work as non-root.  Just saying, it only adds to the confusion.  "Don't run as root.  When tested as non-root, permissions error."


----------



## JRWoodward MSW (Feb 9, 2019)

I had a similar error message. My nginx.conf was creating the nginx.pid file in "logs". It needs to be in /var/run for service nginx start/stop to run. I commented out the line near the top that assigned nginx.pid to "logs" and it was created where it was supposed to be.


----------

