Run the NGINX Web Server as a non-root user
JJediny opened this issue · 3 comments
Draft CIS Benchmark 1.1.1
Description
Although NGINX master process is typically started with root privileges in order to listen on port 80 and 443, it can and should run as another non-root user in order to perform the web services. The NGINX user directive are used to designate the user that the NGINX worker processes will assume.
Rationale
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged user and group for the server application. The "nobody" or "daemon" user and group that comes default on Unix variants should NOT be used to run the web server, since the account is commonly used for other separate daemon services. Instead, an account used only by the nginx software so as to not give unnecessary access to other services. Also the user identifier used for the nginx user should be a unique system account. System user accounts UID numbers have lower values which are reserved for the special system accounts not used by regular users. Typically system accounts numbers ranges from 1-999, or 1-499 and are defined in the /etc/login.defs file. As an even more secure alternative, if the NGINX web server can be run on high unprivileged ports, then it is not necessary to start NGINX as root, and all of the NGINX processes may be run as the NGINX specific user as described below.
Remediation
Perform the following: 1. If the nginx user and group do not already exist, create the account and group as a unique system account: # groupadd -r nginx # useradd nginx -r -g nginx -d /var/cache/nginx -s /sbin/nologin 2. Configure the NGINX user in the NGINX configuration file nginx.conf: user nginx;
Audit
Ensure the nginx account is unique and has been created with a UID less than the minimum normal user account with the nginx group and configured in the nginx.conf file. 1. Ensure the previous line is present in the NGINX configuration and not commented out: # grep -i '^user' $NGINX_PREFIX/nginx.conf 2. Ensure the nginx account UID is correct: # grep '^UID_MIN' /etc/login.defs # id nginxThe uid must be less than the UID\_MIN value in /etc/login.defs, and group of nginx similar to the following entries: UID_MIN 1000 uid=483(nginx) gid=479(nginx) groups=479(nginx) 3. While the web server is running, check the user id for the nginx processes. The user name should match the configuration file. # ps axu | grep nginx | grep -v '^root'
why should the userid less than 1000? Is there a important reason for that?
anyway, tried your suggestion because I have the same opinion that a webserver should not run as root. Even if its just the master process. But there is still a master process which is running as root. I also tried to modify the nginx start scripts and added "--user USERNAME" after "start-stop-daemon". Additionally I changed the user and group of the pid file, the log files and the start scripts to the webserver user I created. None of my changes made it possible to run nginx as a normal user. Do you have any other suggestion what I could do?
You have to start Nginx as the non-root user. Like sudo -u <non-root user> service nginx start
when it comes to a django and gunicorn stack with nginx. when i run nginx as the typical www-data user its giving me permission errors accessing the app.sock file inside application directories. i tried giving www-data permissions to it but it didnt work?