Incorrect permissions of nginx config files

Question

Incorrect permissions of nginx config files

axl89 opened this issue 4 years ago · 5 comments

👻 Brief Description

The nginx_config resource, which is responsible of the creation of nginx.conf and other configuration folders sets the uid and gid based on nginx_user and nginx_group functions, which returns users such as www-data or nobody depending on the platform. I believe that the owner of the configuration files should always be root.

🥞 Cookbook version

v11.2.0

👩‍🍳 Chef-Infra Version

16.9.20

🎩 Platform details

Ubuntu 20.04, but should be able to be replicated elsewhere.

Steps To Reproduce

Converge a recipe as the documentation says in an Ubuntu 20.04 Dokken image:

nginx_config 'nginx' do
  action :create
  notifies :reload, 'nginx_service[nginx]', :delayed
end

You should see the following:

root@dokken:/etc/nginx# ll
total 56
drwxr-xr-x 4 root     root     4096 Feb 10 16:23 ./
drwxr-xr-x 1 root     root     4096 Feb 10 16:19 ../
drwxr-x--- 2 www-data www-data 4096 Feb 10 16:19 conf.d/
drwxr-x--- 2 www-data www-data 4096 Feb 10 16:23 conf.http.d/
-rw-r--r-- 1 root     root     1007 Apr 21  2020 fastcgi_params
-rw-r--r-- 1 root     root     2837 Apr 21  2020 koi-utf
-rw-r--r-- 1 root     root     2223 Apr 21  2020 koi-win
-rw-r--r-- 1 root     root     5231 Apr 21  2020 mime.types
lrwxrwxrwx 1 root     root       22 Oct 29 09:59 modules -> /usr/lib/nginx/modules/
-rw-r----- 1 www-data www-data  806 Feb 10 16:23 nginx.conf
-rw-r--r-- 1 root     root      636 Apr 21  2020 scgi_params
-rw-r--r-- 1 root     root      664 Apr 21  2020 uwsgi_params
-rw-r--r-- 1 root     root     3610 Apr 21  2020 win-utf

🚓 Expected behavior

The nginx.conf configuration file and conf.d / conf.http.d folders should be owned by root.

➕ Additional context

N/A

Answer 1 · 2021-02-10T16:55:39.000Z

I've just realized that the owner property does the trick:

nginx_config 'nginx' do
  owner 'root'
  action :create
  notifies :reload, 'nginx_service[nginx]', :delayed
end

produces:

root@dokken:/# ll /etc/nginx/
total 56
drwxr-xr-x 4 root root     4096 Feb 10 16:49 ./
drwxr-xr-x 1 root root     4096 Feb 10 16:49 ../
drwxr-x--- 2 root www-data 4096 Feb 10 16:49 conf.d/
drwxr-x--- 2 root www-data 4096 Feb 10 16:49 conf.http.d/
-rw-r--r-- 1 root root     1007 Apr 21  2020 fastcgi_params
-rw-r--r-- 1 root root     2837 Apr 21  2020 koi-utf
-rw-r--r-- 1 root root     2223 Apr 21  2020 koi-win
-rw-r--r-- 1 root root     5231 Apr 21  2020 mime.types
lrwxrwxrwx 1 root root       22 Oct 29 09:59 modules -> /usr/lib/nginx/modules/
-rw-r----- 1 root www-data  806 Feb 10 16:49 nginx.conf
-rw-r--r-- 1 root root      636 Apr 21  2020 scgi_params
-rw-r--r-- 1 root root      664 Apr 21  2020 uwsgi_params
-rw-r--r-- 1 root root     3610 Apr 21  2020 win-utf

which I guess is OK, since nginx.conf cannot be written by the run user, but I'd prefer it to be root:root.

Regardless, I suggest to change the example in the docs to use the owner property 😄

Answer 2 · 2021-02-10T16:59:43.000Z

There's a group property that should do what you want as well. It's all documented in the property table for nginx_config.

Answer 3 · 2021-02-10T17:06:53.000Z

There's a group property that should do what you want as well.

Thank you for pointing this out. I think it does, but also changes the process group which is not exactly what I'm looking for. See the output below of doing:

nginx_config 'nginx' do
  group 'root'
  owner 'root'
  action :create
  notifies :reload, 'nginx_service[nginx]', :delayed
end

Recipe: scalefast_nginx::config
  * nginx_config[nginx] action create
    * directory[/etc/nginx/conf.d] action create
      - change group from 'www-data' to 'root'
    * directory[/etc/nginx/conf.http.d] action create
      - change group from 'www-data' to 'root'
    * directory[/var/log/nginx] action create
      - change group from 'www-data' to 'root'
    * file[/etc/nginx/conf.d/default.conf] action delete (up to date)
    * file[/etc/nginx/conf.d/example_ssl.conf] action delete (up to date)
    * nginx_site[default-site] action create
      * template[/etc/nginx/conf.http.d/default-site.conf] action create
        - change group from 'www-data' to 'root'
    
    * template[/etc/nginx/nginx.conf] action create
      - update content in file /etc/nginx/nginx.conf from 05a204 to 4ba605
      --- /etc/nginx/nginx.conf	2021-02-10 16:49:36.498040396 +0000
      +++ /etc/nginx/.chef-nginx20210210-1136-lto0p7.conf	2021-02-10 17:04:19.167064122 +0000
      @@ -2,7 +2,7 @@
       # Do NOT modify this file by hand.
       #
       
      -user www-data;
      +user www-data root;
       worker_processes auto;
       error_log /var/log/nginx/error.log;
       pid /run/nginx.pid;
      - change group from 'www-data' to 'root'
  
  * directory[/etc/nginx/conf.http.d] action create (up to date)
  * template[/etc/nginx/conf.http.d/list.conf] action nothing (skipped due to action :nothing)

Answer 4 · 2021-02-10T17:09:55.000Z

Hmm yes it does, probably worth splitting that out.

Answer 5 · 2021-02-10T17:15:07.000Z

I've split the process user/group into separate properties, PR incoming shortly so should get it out today.