Nginx: Permission denied for nginx on Ubuntu
Solution 1
Make sure you are running the test as a superuser.
sudo nginx -t
Or the test wont have all the permissions needed to complete the test properly.
Solution 2
I faced similar issue while restarting Nginx and found it to be a cause of SeLinux. Be sure to give a try after either disabling SeLinux or temporarily setting it to Permissive mode using below command:
setenforce 0
I hope it helps :)
Solution 3
If i assume that your second code is the puppet config then i have a logical explaination, if the error and log files were create before, you can try this
sudo chown -R www-data:www-data /var/log/nginx;
sudo chmod -R 755 /var/log/nginx;
Solution 4
just because you don't have the right to acess the file , use
chmod -R 755 /var/log/nginx;
or you can change to sudo then it
Solution 5
if you don't want to start nginx as root.
first creat log file :
sudo touch /var/log/nginx/error.log
and then fix permissions:
sudo chown -R www-data:www-data /var/log/nginx
sudo find /var/log/nginx -type f -exec chmod 666 {} \;
sudo find /var/log/nginx -type d -exec chmod 755 {} \;
krn
Updated on July 05, 2022Comments
-
krn almost 2 years
I am new to system administration. After installing nginx via puppet on Ubuntu I get the following output:
[alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied) [warn] 1898#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1 [emerg] 1898#0: open() "/var/log/nginx/access.log" failed (13: Permission denied)
How do I get rid of all of these messages?
I don't want to use command line directly (chown / chmod) and repeat it every time I create a new server. Therefore, I am thinking of what has to be added to the puppet manifest.
What is the best sysadmin practice in this case: to change owner / permissions for /var/log/nginx or to store logs in different location? If chown / chmod is the way to go, which specific permissions would ensure the highest level of security?
I tried this, but it didn't help:
file { '/var/log/nginx': ensure => directory, mode => '0755', owner => 'www-data', group => 'www-data', recurse => true }
Edited:
vagrant@precise64:~$ ps aux | grep [n]ginx root 1001 0.0 0.1 62908 1388 ? Ss 08:47 0:00 nginx: master process /usr/sbin/nginx www-data 1002 0.0 0.1 63260 1696 ? S 08:47 0:00 nginx: worker process www-data 1003 0.0 0.1 63260 1696 ? S 08:47 0:00 nginx: worker process www-data 1004 0.0 0.1 63260 1696 ? S 08:47 0:00 nginx: worker process www-data 1005 0.0 0.1 63260 1696 ? S 08:47 0:00 nginx: worker process
-
Terry Wang over 10 yearsAre you sure the puppet code was applied (using
vagrant provision
for example)? Is/etc/nginx/nginx.conf
usingwww-data
ornginx
to run nginx non-master processes? -
Akhil S over 3 yearscheck already running ports once, if nginx ports
443
or80
if incase they are used by other process, it may cause the similar error. use commandsudo netstat -tulpn
to check whether the ports 80 or 443 is used by other process.
-
-
Farray almost 9 yearsDisabling selinux defeats the purpose of selinux. Yes, it's a quick ends to a means -- but it's not necessarily the correct ends to the means. Better to learn the correct way to work with selinux.
-
Ed Chapel over 8 yearsWhat, if any, are the downsides to this approach?
-
emix over 7 yearsYou don't want your logs to be readable to anyone except the root.
-
mohnstrudel over 7 yearsI couldn't get sudo service nginx restart to work, got this output:
service nginx restart Failed to restart nginx.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files
, butsudo /etc/init.d/nginx restart
worked like a charm for me. -
Daniel Patrick over 7 yearsBut do I want to be running nginx as root?
-
Synchro almost 7 yearsPotential security problem with that
chmod
- it also sets all log files as executable. Do this instead:sudo chmod -R u+X /var/log/nginx
-
jochem almost 7 years
setenforce 0
for selinux backed-in distros (Redhat, Centos, Fedore, ...) is indeed a very valid answer if you are 100% sure that you set the permissions correct on the directory. -
RenRen over 5 yearsadm: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.
-
scavenger over 4 yearsi would never do that for it's a security flaw. same rule for apache: logs must be owned by root not the working user
-
Michael Freidgeim over 3 years
-
KeitelDOG over 3 yearsYou saved me hours. I should have thought about it.
-
dylzee about 3 yearsdoh! and here I was overcomplicating it. Thanks man!
-
noonex over 2 yearsselinux is a god for production and an evil for development.
-
user764754 over 2 yearsDoes this mean the 3 alerts/warnings meantioned by OP can simply be ignored as long as
sudo nginx -t
works fine and the nginx master process has sudo privileges? -
miken32 over 2 yearsIt's a very valid answer if you 100% don't care about security...