Nginx: Permission denied for nginx on Ubuntu

ubuntu nginx debian vagrant puppet

156,741

Solution 1

Make sure you are running the test as a superuser.

sudo nginx -t

Or the test wont have all the permissions needed to complete the test properly.

Solution 2

I faced similar issue while restarting Nginx and found it to be a cause of SeLinux. Be sure to give a try after either disabling SeLinux or temporarily setting it to Permissive mode using below command:

setenforce 0

I hope it helps :)

Solution 3

If i assume that your second code is the puppet config then i have a logical explaination, if the error and log files were create before, you can try this

sudo chown -R www-data:www-data /var/log/nginx;
sudo chmod -R 755 /var/log/nginx;

Solution 4

just because you don't have the right to acess the file , use

chmod -R 755 /var/log/nginx;

or you can change to sudo then it

Solution 5

if you don't want to start nginx as root.

first creat log file :

sudo touch /var/log/nginx/error.log

and then fix permissions:

sudo chown -R www-data:www-data /var/log/nginx

sudo find /var/log/nginx -type f -exec chmod 666 {} \;

sudo find /var/log/nginx -type d -exec chmod 755 {} \;

View more solutions

156,741

Author by

krn

Updated on July 05, 2022

Comments

krn almost 2 years
I am new to system administration. After installing nginx via puppet on Ubuntu I get the following output:
```
[alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)

[warn] 1898#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1

[emerg] 1898#0: open() "/var/log/nginx/access.log" failed (13: Permission denied)
```
How do I get rid of all of these messages?

I don't want to use command line directly (chown / chmod) and repeat it every time I create a new server. Therefore, I am thinking of what has to be added to the puppet manifest.

What is the best sysadmin practice in this case: to change owner / permissions for /var/log/nginx or to store logs in different location? If chown / chmod is the way to go, which specific permissions would ensure the highest level of security?

I tried this, but it didn't help:
```
  file { '/var/log/nginx':
    ensure  => directory,
    mode    => '0755',
    owner   => 'www-data',
    group   => 'www-data',
    recurse => true
  }
```
Edited:
```
vagrant@precise64:~$ ps aux | grep [n]ginx
root      1001  0.0  0.1  62908  1388 ?        Ss   08:47   0:00 nginx: master process /usr/sbin/nginx
www-data  1002  0.0  0.1  63260  1696 ?        S    08:47   0:00 nginx: worker process
www-data  1003  0.0  0.1  63260  1696 ?        S    08:47   0:00 nginx: worker process
www-data  1004  0.0  0.1  63260  1696 ?        S    08:47   0:00 nginx: worker process
www-data  1005  0.0  0.1  63260  1696 ?        S    08:47   0:00 nginx: worker process
```
- Terry Wang over 10 years
  
  Are you sure the puppet code was applied (using vagrant provision for example)? Is /etc/nginx/nginx.conf using www-data or nginx to run nginx non-master processes?
- Akhil S over 3 years
  
  check already running ports once, if nginx ports 443 or 80 if incase they are used by other process, it may cause the similar error. use command sudo netstat -tulpn to check whether the ports 80 or 443 is used by other process.
Farray almost 9 years

Disabling selinux defeats the purpose of selinux. Yes, it's a quick ends to a means -- but it's not necessarily the correct ends to the means. Better to learn the correct way to work with selinux.
Ed Chapel over 8 years

What, if any, are the downsides to this approach?
emix over 7 years

You don't want your logs to be readable to anyone except the root.
mohnstrudel over 7 years

I couldn't get sudo service nginx restart to work, got this output: service nginx restart Failed to restart nginx.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files, but sudo /etc/init.d/nginx restart worked like a charm for me.
Daniel Patrick over 7 years

But do I want to be running nginx as root?
Synchro almost 7 years

Potential security problem with that chmod - it also sets all log files as executable. Do this instead: sudo chmod -R u+X /var/log/nginx
jochem almost 7 years

setenforce 0 for selinux backed-in distros (Redhat, Centos, Fedore, ...) is indeed a very valid answer if you are 100% sure that you set the permissions correct on the directory.
RenRen over 5 years

adm: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.
scavenger over 4 years

i would never do that for it's a security flaw. same rule for apache: logs must be owned by root not the working user
Michael Freidgeim over 3 years

Similar answer in How do I configure nginx to put its error.log file somewhere I have write privileges?
KeitelDOG over 3 years

You saved me hours. I should have thought about it.
dylzee about 3 years

doh! and here I was overcomplicating it. Thanks man!
noonex over 2 years

selinux is a god for production and an evil for development.
user764754 over 2 years

Does this mean the 3 alerts/warnings meantioned by OP can simply be ignored as long as sudo nginx -t works fine and the nginx master process has sudo privileges?
miken32 over 2 years

It's a very valid answer if you 100% don't care about security...