9

on /var/log/nginx/ I have access and error logs. Some are .log errors and others have .gz

I think I messed up with the permissions. Some files are created by root/root, other files are created using the user configured in nginx.conf, etc.

  • What user/group should create those files? And why? Can it be root? I can see that now new .log files are being created by root, but not sure if it is the right way.
  • And also I'd like to ask where to change who is the user that creates those files?
Pikk
  • 339
  • 1
  • 6
  • 19

2 Answers2

13

On the files located in /var/log/nginx/ the rules have changed over the time (at least in my experience). Yet without more data I'm not comfortable giving a definitive suggestion. But I'll try.

NGINX itself runs as "root" NGINX processes run as the user specified in /etc/nginx/nginx.conf which is usually "www-data" (hang on, keep reading)

You can use this command to determine how your NGINX is running:

ps -eo "%U %G %a" | grep nginx

Your output should look something like this:

root     root     nginx: master process /usr/sbin/nginx -g daemon on; master_process on;

www-data www-data nginx: worker process

What you did not say is WHY you are asking this question. Hypothetically, let's just say you are running OSSEC with an ELK stack. And if you are on Ubuntu 16.04, then your second issue is what processes can READ the files as well as write. If you are using logrotate then you would need to edit the logrotate files as well as change permissions on the log folder.

Step 1 - in logrotate update the nginx file:

nano /etc/logrotate.d/nginx

In that file, on recent versions of nginx and ubuntu, I have found that changing the ownership line as follows will allow it to work. This is in the file in /etc/logrotate/nginx which sets the file permissions when the file is rotated.

create 0640 nginx nginx

or alternatively:

create 0640 www-data www-data

Although in practice nginx:nginx has worked more consistently and is a balance between giving the nginx web process permissions to the log files vs setting them to root.

To continue, for your legacy log files (e.g. to be read by logstash) you may want to reset permissions (assuming default file locations which I realize most of us don't actually use.)

chmod nginx:nginx /var/log/nginx/*

or (again) alternatively

chown www-data:www-data /var/log/nginx/*

Hopefully this helps. I have found data on the proper permissions for nginx to be confusing at best when it comes to logging, which I attribute to the evolution of their AMAZING software. And I welcome others who know more to provide feedback on my reply.

eschipul
  • 146
  • 1
  • 4
0

as far as I can understand with the information provided:

  1. your server's log files are being managed by logrotate daemon (see it as an archive engine for logs)

  2. this explains why you see some files in .tar.gz format

  3. I bet that those files are the one having as owner root (check here for more information http://linuxcommand.org/man_pages/logrotate8.html). This depends on the user specified for the log rotation process.

  4. the other files are owned by nginx which had rw rights on them

If it is the case, then everything is fine

Maurizio Benedetti
  • 111
  • 3
  • Actually I can see that the .gz files are owned by nginx (with another username which I set in the nginx.conf), but the new .log files that are being created are root/root. Do you think there is something wrong somewhere? – Pikk May 27 '15 at 14:36