Hello,
I’m using daemontools to run nginx [1] and I’m experiencing the
following problem when I send the USR1 signal to rotate the logs with
another script [2]:
The problem is that after sending the USR1 signal to nginx, the logs
owner becomes ‘nginx’ instead of ‘root’, which is a potential security
breach.
~ # ls -la /var/log/nginx
total 627
drwxr-xr-x 2 root root 1088 Feb 23 04:29 .
drwxr-xr-x 15 root root 1088 Feb 22 01:27 …
-rw-r–r-- 1 root root 0 Feb 23 04:25 access_log
-rw-r–r-- 1 root root 0 Feb 23 04:25 error_log
-rw-r–r-- 1 root root 19164 Feb 23 04:29 site1.com-access_log
-rw-r–r-- 1 root root 0 Feb 23 04:25 site1.com-error_log
-rw-r–r-- 1 root root 0 Feb 23 04:25 site1.com-ssl_access_log
-rw-r–r-- 1 root root 0 Feb 23 04:25 site1.com-ssl_error_log
~ # nginx-rotate.sh [2]
~ # ls -la /var/log/nginx
total 11
drwxr-xr-x 3 root root 1112 Feb 23 04:29 .
drwxr-xr-x 15 root root 1088 Feb 22 01:27 …
drwxr-xr-x 2 root root 1088 Feb 23 04:29 old
-rw-r–r-- 1 nginx root 0 Feb 23 04:29 access_log
-rw-r–r-- 1 nginx root 0 Feb 23 04:29 error_log
-rw-r–r-- 1 nginx root 123 Feb 23 04:29 site1.com-access_log
-rw-r–r-- 1 nginx root 0 Feb 23 04:29 site1.com-error_log
-rw-r–r-- 1 nginx root 0 Feb 23 04:29 site1.com-ssl_access_log
-rw-r–r-- 1 nginx root 0 Feb 23 04:29 site1.com-ssl_error_log
If instead of this if I restart [3] the nginx process or send the HUP
signal [4] then the log files permissions remains correct (owned by
root).
I’m not sure if this is a bug or a known issue but I appreciate any
clarifications.
Thanks.
[1] nginx daemontools startup script:
#! /bin/sh -
exec 2>&1
exec /srv/sbin/nginx -c /srv/etc/nginx/nginx.conf
[2] nginx log rotation script
#! /bin/sh -
cd /var/log/nginx
mkdir -p old
mv *_log old
kill -USR1 cat /var/run/nginx.pid
sudo -u user /home/user/awstats.sh
rm /var/log/nginx/old/*access_log
[3]
Send TERM signal
svc -t /service/nginx
OR stop and start
svc -d /service/nginx
… rotate logs
svc -u /service/nginx
[4]
svc -h /service/nginx