35

I need help figuring out the root cause of this permission denied error. What permissions does nginx need? Why is it so complicated?

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
user2350858
  • 681
  • 2
  • 10
  • 16

6 Answers6

29

the socket API bind() to a port less than 1024, such as 80 as your title mentioned, need root access.

here is "Bind to ports less than 1024 without root access"

and another easier way is to run nginx as root.

Community
  • 1
  • 1
vvy
  • 1,963
  • 13
  • 17
22

If you use a port bigger than 1024 with root privilege, but still got this problem, that's may be caused by SELinux:

Check this port, say 8024, in segange port

sudo semanage port -l | grep http_port_t

If 8024 doesn't exist in the port list, add it into segange port

sudo semanage port -a -t http_port_t  -p tcp 8024

###update in 2017.12.22

Sometimes your SELinux is disabled, you need to enforcing it first. Check the status of SELinux by

$ sestatus

More steps can read this wonderful article: https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts

Belter
  • 3,573
  • 5
  • 42
  • 58
2

If see this msg after run "nginx -t", you dont have premission run as root "sudo nginx -t"

Koudi
  • 92
  • 3
2

nginx needs root access. Just use

sudo nginx

next step along with your password

Jakpren
  • 71
  • 6
  • 3
    I am genuinely curious if it is safe to sudo nginx or not. – Sal Alturaigi Jul 26 '18 at 05:51
  • 1
    I don't know whether it's safe or not. But, the non-root users should need sudo privileges to start nginx. You can refer below link to know how to secure nginx. https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-on-ubuntu-14-04 – Jakpren Aug 20 '18 at 09:55
  • no, nginx does not need root access. but *anything* that want to use ports between 0-1024 needs root access, and his nginx was configured to listen on port 80. anything that tries to listen to port 80 needs root access. reconfigure nginx to listen on port 1025 instead, and no root access is needed. – hanshenrik Jul 06 '20 at 16:37
  • This may be dangerous. If NginX gets compromised by a security issue, attacker may gain superuser access immediately. – X X Jan 30 '23 at 08:17
0

The best solution would be:

1) add user to sudoers ( my user is prod)

usermod -aG sudo prod

2) inside circus ( process manager ) append sudo before nginx executable, mine looks like this:

[watcher:nginx]
cmd = sudo /usr/sbin/nginx
args = -c /home/t/Projects/x_b_11/etc/nginx.conf -p /home/t/Projects/x_b_11

3) and finaly add line into file /etc/sudoers ( my user is prod). This line avoids error (sudo: no tty present and no askpass program specified). Probably need to restart session ( reboot). Enjoy.

prod ALL = NOPASSWD: /usr/sbin/nginx
Taras Vaskiv
  • 2,215
  • 1
  • 18
  • 17
0

Ubuntu uses AppArmor and not SELinux. The responses pointing to SELinux may not be that relevant to the OP.

For the others that Googled this: I also encountered this issue on a SELinux-enabled CentOS 7 machine. nginx would not bind port 80 and gave me error 13: permission denied despite having already run setcap 'CAP_NET_BIND_SERVICE=+ep' /usr/sbin/nginx to allow the service to bind the port with a non-root user.

Temporarily setting SELinux to Permissive (sudo setenforce Permissive) allowed nginx to start. I then ran audit2allow -a which gave me

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t ntop_port_t:tcp_socket name_connect;

Which meant the solution was to also run:

sudo setsebool -P httpd_can_network_connect on

After which you can set SELinux back to Enforcing (sudo setenforce Enforcing) and restart everything to verify.

ZCapper
  • 1
  • 1