Nginx default user changed in RedHat/CentOS package nginx-1.16.1-1.el7

The latest Nginx rpm (nginx-1.16.1-1.el7) from EPEL for CentOS/Redhat is a fairly major update, from version 1.12 to 1.16, and includes some very important fixes to address multiple CVEs. There is another small but critical change in the latest RPM that isn’t mentioned in the bug report. RedHat had configured nginx to run as user “apache” in past releases, but in the EPEL release on 19 October 2019, the configuration was changed to run as user “nginx”. If you ran “yum upgrade” recently (which you really need to do on a regular basis) on any system with nginx installed, you probably have a system that is affected.

Symptoms

One symptom of this user change is that nginx will silently stop writing logs! The reason is that the previous configuration required directory /var/log/nginx to be owned by apache. Check your log directory and see if you have this problem:

-rw-rw-r--. 1 apache root      0 Nov 11 03:24 access.log

Another symptom is that a PHP application running on an nginx/php cache may after the update because it can’t access the fastcgi cache. You may see log errors like this one:

230 open() "/var/lib/nginx/tmp/fastcgi/4/05/0000000054" failed (13: Permission denied) while reading upstream,

Only a limited number of web applications use the fastcgi cache; I noticed it with Syspass, but not with Snipe.

Resolution

Change the nginx user from apache to nginx in file /etc/nginx/nginx.conf. Then, change the ownership of log and cache directories from apache to nginx, restart nginx, and test. If you’re using a feature of nginx that I haven’t covered, you may need to make additional changes; if you do, please leave a comment below so that others can learn from your experience.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.