Nginx: Permission denied for nginx on Ubuntu

Question

I am new to system administration. After installing nginx via puppet on Ubuntu I get the following output:

[alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)

[warn] 1898#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1

[emerg] 1898#0: open() "/var/log/nginx/access.log" failed (13: Permission denied)

How do I get rid of all of these messages?

I don't want to use command line directly (chown / chmod) and repeat it every time I create a new server. Therefore, I am thinking of what has to be added to the puppet manifest.

What is the best sysadmin practice in this case: to change owner / permissions for /var/log/nginx or to store logs in different location? If chown / chmod is the way to go, which specific permissions would ensure the highest level of security?

I tried this, but it didn't help:

  file { '/var/log/nginx':
    ensure  => directory,
    mode    => '0755',
    owner   => 'www-data',
    group   => 'www-data',
    recurse => true
  }

Edited:

vagrant@precise64:~$ ps aux | grep [n]ginx
root      1001  0.0  0.1  62908  1388 ?        Ss   08:47   0:00 nginx: master process /usr/sbin/nginx
www-data  1002  0.0  0.1  63260  1696 ?        S    08:47   0:00 nginx: worker process
www-data  1003  0.0  0.1  63260  1696 ?        S    08:47   0:00 nginx: worker process
www-data  1004  0.0  0.1  63260  1696 ?        S    08:47   0:00 nginx: worker process
www-data  1005  0.0  0.1  63260  1696 ?        S    08:47   0:00 nginx: worker process

Are you sure the puppet code was applied (using `vagrant provision` for example)? Is `/etc/nginx/nginx.conf` using `www-data` or `nginx` to run nginx non-master processes? — Terry Wang, Sep 10 '13 at 23:12
check already running ports once, if nginx ports `443` or `80` if incase they are used by other process, it may cause the similar error. use command `sudo netstat -tulpn` to check whether the ports 80 or 443 is used by other process. — Akhil S, Jan 28 '21 at 08:01

score 245 · Answer 1 · answered May 23 '14 at 05:31

245

Make sure you are running the test as a superuser.

sudo nginx -t

Or the test wont have all the permissions needed to complete the test properly.

answered May 23 '14 at 05:31

Carlsson

2,584
1
14
9

Does this mean the 3 alerts/warnings meantioned by OP can simply be ignored as long as `sudo nginx -t` works fine and the nginx master process has sudo privileges? – user764754 Nov 28 '21 at 10:46

score 46 · Answer 2 · answered Oct 11 '16 at 14:39

46

I faced similar issue while restarting Nginx and found it to be a cause of SeLinux. Be sure to give a try after either disabling SeLinux or temporarily setting it to Permissive mode using below command:

setenforce 0

I hope it helps :)

answered Oct 11 '16 at 14:39

Chirag Jain

561
4
2

`setenforce 0` for selinux backed-in distros (Redhat, Centos, Fedore, ...) is indeed a very valid answer if you are 100% sure that you set the permissions correct on the directory. – jochem Jun 30 '17 at 12:49
It's a very valid answer if you 100% don't care about security... – miken32 Jan 20 '22 at 18:44

score 40 · Answer 3 · answered Sep 10 '13 at 10:29

40

If i assume that your second code is the puppet config then i have a logical explaination, if the error and log files were create before, you can try this

sudo chown -R www-data:www-data /var/log/nginx;
sudo chmod -R 755 /var/log/nginx;

answered Sep 10 '13 at 10:29

Mohammad AbuShady

40,884
11
78
89

7

Potential security problem with that `chmod` - it also sets all log files as executable. Do this instead: `sudo chmod -R u+X /var/log/nginx` – Synchro Jun 15 '17 at 22:44
4

i would never do that for it's a security flaw. same rule for apache: logs must be owned by root not the working user – scavenger Jan 21 '20 at 20:24

score 10 · Answer 4 · answered Aug 06 '15 at 08:17

10

just because you don't have the right to acess the file , use

chmod -R 755 /var/log/nginx;

or you can change to sudo then it

answered Aug 06 '15 at 08:17

Wang Kevin

167
2
3

1

You don't want your logs to be readable to anyone except the root. – Mike Doe Sep 02 '16 at 11:16
2

But do I want to be running nginx as root? – Daniel Patrick Feb 19 '17 at 01:38
Similar answer in [How do I configure nginx to put its error.log file somewhere I have write privileges?](//stackoverflow.com/a/42617427) – Michael Freidgeim Dec 15 '20 at 11:36

score 9 · Answer 5 · answered Apr 25 '19 at 17:11

if you don't want to start nginx as root.

first creat log file :

sudo touch /var/log/nginx/error.log

and then fix permissions:

sudo chown -R www-data:www-data /var/log/nginx

sudo find /var/log/nginx -type f -exec chmod 666 {} \;

sudo find /var/log/nginx -type d -exec chmod 755 {} \;

score 5 · Answer 6 · answered Feb 05 '16 at 16:03

5

Permission to view log files is granted to users being in the group adm.

To add a user to this group on the command line issue:

sudo usermod -aG adm <USER>

answered Feb 05 '16 at 16:03

Stéphane

83
1
4

2

What, if any, are the downsides to this approach? – Ed Chapel Feb 14 '16 at 13:39
1

adm: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group. – RenRen Aug 31 '18 at 07:14

score 2 · Answer 7 · answered Dec 17 '19 at 11:50

2

On Debian WSL (Windows Subsystem for Linux) I had to use:

sudo chmod -R 775 /var/log/nginx

answered Dec 17 '19 at 11:50

GarethAS

331
2
12

score 1 · Answer 8 · answered Mar 18 '15 at 04:15

1

For me, I just changed the selinux from enforcing to permissive and then I was able to start nginx without any error.

answered Mar 18 '15 at 04:15

vipin kumar

141
1
7

Disabling selinux defeats the purpose of selinux. Yes, it's a quick ends to a means -- but it's not necessarily the correct ends to the means. Better to learn the correct way to work with selinux. – Farray May 23 '15 at 04:19
selinux is a god for production and an evil for development. – noonex Oct 21 '21 at 03:42

score 0 · Answer 9 · answered May 31 '21 at 15:17

Found a good description what to do.


    # support running as arbitrary user which belogs to the root group
    RUN chmod g+rwx /var/cache/nginx /var/run /var/log/nginx
    # users are not allowed to listen on priviliged ports
    RUN sed -i.bak 's/listen\(.*\)80;/listen 8081;/' /etc/nginx/conf.d/default.conf
    EXPOSE 8081
    # comment user directive as master process is run as user in OpenShift anyhow
    RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf

Fixing all the issues with running NGNIX without root.

score -1 · Answer 10 · answered Feb 26 '16 at 20:35

I just patch nginx binary replacing path /var/log/nginx/error.log and other with local path.

$ perl -pi \
    -e 's@/var/log/nginx/@_var_log_nginx/@g;' \
    -e 's@/var/lib/nginx/@_var_lib_nginx/@g;' \
    -e 's@/var/run/nginx.pid@_var_run/nginx.pid@g;' \
    -e 's@/run/nginx.pid@_run/nginx.pid@g;' \
    < /usr/sbin/nginx > nginx
$ chmod +x nginx
$ mkdir _var_log_nginx _var_lib_nginx _var_run _run
$ ./nginx -p . -c nginx.conf

It works for testing.

score -4 · Answer 11 · answered Aug 04 '20 at 11:41

-4

This works for me,

sudo chmod -R 777 /var/log/nginx

answered Aug 04 '20 at 11:41

Sushil

2,324
1
27
26

score -5 · Answer 12 · edited Oct 18 '14 at 15:21

-5

Nginx needs to run by command 'sudo /etc/init.d/nginx start'

edited Oct 18 '14 at 15:21

Sky

4,244
7
54
83

answered Sep 20 '13 at 16:33

QArea

4,955
1
12
22

I couldn't get sudo service nginx restart to work, got this output: `service nginx restart Failed to restart nginx.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files`, but `sudo /etc/init.d/nginx restart` worked like a charm for me. – mohnstrudel Jan 25 '17 at 17:59

Nginx: Permission denied for nginx on Ubuntu

12 Answers12

Linked