Nginx doesn’t have permission to access files with the same ownership

i've just installed nginx on an Archlinux box and encounter this problem:

Nginx is configured to run as "nginx", a new user/group that I added, in /etc/nginx/nginx.conf:

user nginx nginx;

For doublecheck:

$ ps aux | grep nginx
nginx     9678  0.0  0.5  28472  2856 ?        S    17:37   0:00 nginx: worker process
nginx     9679  0.0  0.5  28472  2856 ?        S    17:37   0:00 nginx: worker process
root     31912  0.0  0.6  28084  3364 ?        Ss   17:24   0:00 nginx: master process /usr/bin/nginx -g pid /run/nginx.pid; error_log stderr;

The root of the server is at:

    location / {
            root   /home/lamnk/sites/host.com;
            index  index.html index.htm;
    }

and the owner of the file is set to nginx too:

$ ls -la /home/lamnk/sites/host.com                                         
total 12
drwxr-xr-x 2 lamnk http  4096 Jan 12 09:37 .
drwxr-xr-x 3 lamnk users 4096 Jan 12 09:36 ..
-rw-r--r-- 1 nginx nginx   21 Jan 12 09:37 index.html

When I go to host.com, I got the 403 forbidden error. In the error.log:

2016/01/12 17:28:23 [error] 31914#0: *2 open() "/home/lamnk/sites/host.com/index.html" failed (13: Permission denied), client: 171.233.242.40, server: host.com, request: "GET /index.html HTTP/1.1", host: "host.com"

But when I change nginx to run as my own username lamnk, then nginx can return the content correctly, without any other changes in file permission. What gives??

EDIT: the permissions on parent directories:

$ namei -l /home/lamnk/sites/host.com
f: /home/lamnk/sites/host.com
drwxr-xr-x root  root  /
drwxr-xr-x root  root  home
drwx------ lamnk users lamnk
drwxr-xr-x lamnk users sites
drwxr-xr-x lamnk http  host.com

Best Answer

The nginx user is not able to traverse the filesystem to reach the folder where you have placed your site. A user must have the execute (+x) permission on a folder in order to be able to traverse it. From your permission information, drwx------ lamnk users lmank shows that only the directory's owner has the right to read, write, and execute on the folder. Therefore, nginx cannot access that folder or any subfolders thereof unless it is run as that user.

You should grant execute rights on /home/lamnk with chmod og+x /home/lamnk so that users other than yourself are allowed to traverse the folder. Without read rights, they still cannot list or read the contents of that folder, and without write rights they cannot make any changes to the contents; so there is no security risk to this, and it is necessary if you want to have subfolders of your home directory which are visible to other users, such as the nginx user. The mask you're looking to see on that folder would be drwx--x--x.

Best Answer

Related Solutions

nginx HTTPS – How to Serve HTTPS with Same Config as HTTP

Nginx – Trouble with nginx and serving from multiple directories under the same domain

Related Topic