Changing the Nginx Group

Question

In our dev environment, I'm migrating some of our Apache sites to Nginx. What I'd like to do is ensure that my developers who all belong to the same group (webgroup) have full access to the files (e.g. log files) that are created by the web server user (www-data). The web user created files are typically owned by www-data:www-data so I thought I'd change that user's primary group to match that of the developers (webgroup).

The group change seemed to go through, but newly created files are still owned by www-data:www-data. I don't see a group directive for the nginx conf so I'm wondering whether there's any way to ensure that files created/updated by the nginx user get owned by the right group.

If I'd thought ahead, I suppose I could've made www-data the primary group for all of my users, but I didn't and I'd like to avoid going back and touching all of those users. Remember, this is a dev environment so security isn't hypercritical, but I'd still like to avoid having everyone authenticate as root or something similarly wide open.

UPDATE

I have since tried updating my nginx.conf file as show below, but to no avail. New files are still created as www-data:www-data after both a restart and a force-reload.

user www-data webgroup

I've seen that, @quanta, but if the answer is in there, I guess I'm missing it. — Rob Wilkerson, Aug 22 '12 at 14:06
Or...in the example, `user www users`, maybe the second value (`users`) is the group? I totally missed that. — Rob Wilkerson, Aug 22 '12 at 14:07
Nope, guess not. I may need the remedial version of this lesson... — Rob Wilkerson, Aug 22 '12 at 14:09

score 5 · Accepted Answer · answered Aug 23 '12 at 05:15

5

Simply apply a sticky bit to the folder where you store the log files. nginx is always using the group that was given at compile time for creating the logs. The group directive in the configuration is only applied during runtime.

chown -R www-data:webgroup /var/log/nginx && chmod g+s /var/log/nginx

answered Aug 23 '12 at 05:15

Fleshgrinder

3,798
2
17
20

2

This is not the sticky bit, but the "setgid" bit https://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories – Alex F Jun 26 '17 at 07:56

score 2 · Answer 2 · answered Jan 27 '17 at 21:46

Changing nginx group requires recompiling. Fortunately it's easy as 123. Just follow this simple steps:

Download latest nginx source code:
- wget http://nginx.org/download/nginx-1.11.9.tar.gz
Unpack it
- tar xzvf nginx-1.11.9.tar.gz
Navigate to the source directory
- cd nginx-1.11.9
Get your current nginx configure arguments from nginx -V output:
- nginx -V sample output:
  
  --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --user=www-data --group=www-data
Replace whichever options you need & launch ./configure in the source root
- ./configure --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --user=apache --group=apache
Wait for the command to complete (download external modules as needed). Run
- make && make install

Now you have brand-new nginx with the options you like!

Changing the Nginx Group

2 Answers2