At least these params of `unitd` should be able to change in conf.d/ : --user USER set non-privileged processes to run as specified user default: "nobody" --group GROUP set non-privileged processes to run as specified group default: user's primary group (Without these settings, it is impossible to set up basic file sharing functions. For example, as indicated in the hello world example in the quick start documentation. To distribute static files, you need to allow a privileged user access to files. And this is impossible to do because currently in gentoo this is the "nobody" user. The user "nobody" literally means -- set it up.) And preferably these, since you have already started work :) --control ADDRESS set address of control API socket default: "unix:/run/nginx-unit.sock" --pid FILE set pid filename default: "/run/nginx-unit.pid" --log FILE set log filename default: "/var/log/nginx-unit" --modules DIRECTORY set modules directory name default: "/usr/lib64/nginx-unit" --state DIRECTORY set state directory name default: "/var/lib/nginx-unit" --tmp DIRECTORY set tmp directory name default: "/usr/tmp" ref: show "Unit's Process Summary" at https://unit.nginx.org/howto/security/#sec-processes Reproducible: Always
I noticed that the default unprivileged user when compiling is `nobody` but table "Unit's Process Summary" at https://unit.nginx.org/howto/security/#sec-processes says that this is a user `unit`. In distibuted packages is also `unit` but in community repository in most`nobody` (https://unit.nginx.org/installation/#community-repositories). I think gentoo should create a user and group "unit" for this package and compile (configure) by default with that user.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a36e085bbf2fb23ff5ef6a70449edd9d135d2d1e commit a36e085bbf2fb23ff5ef6a70449edd9d135d2d1e Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2023-02-27 23:53:36 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2023-02-27 23:53:36 +0000 www-servers/nginx-unit: Support nginx-unit user and group Bug: https://bugs.gentoo.org/894778 Signed-off-by: Mike Pagano <mpagano@gentoo.org> www-servers/nginx-unit/files/nginx-unit.initd-r1 | 16 ++++ www-servers/nginx-unit/nginx-unit-1.29.0-r1.ebuild | 98 ++++++++++++++++++++++ 2 files changed, 114 insertions(+)
I've added a version for testing into portage if you can unmask and test that would be appreciated. =www-servers/nginx-1.29.0-r1
1. Compiled with user and group nginx-unit == done! 2. Need to pass the user and group variables as parameters to the launch == not done! Add command_args="--user ${user} --group ${group}" Now we have configured the correct default users/group, but we need the ability to change them. 3. Need to pass all other options from `unitd --help` == not done! Add all as variables from conf.d (NGX_CONTROL, NGX_LOG, NGX_MODULES, NGX_TMPDIR, NGX_STATEDIR and etc.) or one for all as string by command_args
(In reply to Vladimir Varlamov from comment #4) > 1. Compiled with user and group nginx-unit == done! > > 2. Need to pass the user and group variables as parameters to the launch == > not done! > Add command_args="--user ${user} --group ${group}" > Now we have configured the correct default users/group, but we need the > ability to change them. > > 3. Need to pass all other options from `unitd --help` == not done! > Add all as variables from conf.d (NGX_CONTROL, NGX_LOG, NGX_MODULES, > NGX_TMPDIR, NGX_STATEDIR and etc.) or one for all as string by command_args Is number 2 really needed? I see the same ownership with or without it. root 15808 1 0 12:53 ? 00:00:00 unit: main v1.29.0 [/usr/sbin/unitd] nginx-u+ 15810 15808 0 12:53 ? 00:00:00 unit: controller nginx-u+ 15812 15808 0 12:53 ? 00:00:00 unit: router Upstream has informed me that the main process will always be run as root.
Run `unitd --help`. All options were invented for a reason and should be able to be configured. If we are now talking in terms of the least amount of work for you, then you can end this problem by adding `command_args` to runscript. I won't bother you anymore :) But keep in mind that what you do not do now will sooner or later hang over you in subsequent gentoo bugs from other users.
(In reply to Vladimir Varlamov from comment #6) > Run `unitd --help`. All options were invented for a reason and should be > able to be configured. > > If we are now talking in terms of the least amount of work for you, then you > can end this problem by adding `command_args` to runscript. I won't bother > you anymore :) > > But keep in mind that what you do not do now will sooner or later hang over > you in subsequent gentoo bugs from other users. Ok, please don't interpret what I am asking with any emotion. We are hammering out the best solution and this type of collaboration is critical to that. Proper solution. Not "least work" solution. Anyways, my statement still stands. The user and group are supported and appear to be handled properly without command_args. Not using command args: root 15808 1 0 12:53 ? 00:00:00 unit: main v1.29.0 [/usr/sbin/unitd] nginx-u+ 15810 15808 0 12:53 ? 00:00:00 unit: controller nginx-u+ 15812 15808 0 12:53 ? 00:00:00 unit: router root 15845 10323 0 12:56 pts/0 00:00:00 grep --colour=auto uni Running Manually: /usr/sbin/unitd --user mike --group users --no-daemon root 16071 10323 0 13:01 pts/0 00:00:00 unit: main v1.29.0 [/usr/sbin/unitd --user mike --group users --no-daemon] mike 16073 16071 0 13:01 pts/0 00:00:00 unit: controller mike 16074 16071 0 13:01 pts/0 00:00:00 unit: router
(In reply to Mike Pagano from comment #7) > (In reply to Vladimir Varlamov from comment #6) > > Run `unitd --help`. All options were invented for a reason and should be > > able to be configured. > > > > If we are now talking in terms of the least amount of work for you, then you > > can end this problem by adding `command_args` to runscript. I won't bother > > you anymore :) > > > > But keep in mind that what you do not do now will sooner or later hang over > > you in subsequent gentoo bugs from other users. > > Ok, please don't interpret what I am asking with any emotion. > > We are hammering out the best solution and this type of collaboration is > critical to that. Proper solution. Not "least work" solution. > > Anyways, my statement still stands. The user and group are supported and > appear to be handled properly without command_args. > > Not using command args: > root 15808 1 0 12:53 ? 00:00:00 unit: main v1.29.0 > [/usr/sbin/unitd] > nginx-u+ 15810 15808 0 12:53 ? 00:00:00 unit: controller > nginx-u+ 15812 15808 0 12:53 ? 00:00:00 unit: router > root 15845 10323 0 12:56 pts/0 00:00:00 grep --colour=auto uni > > Running Manually: > > /usr/sbin/unitd --user mike --group users --no-daemon > root 16071 10323 0 13:01 pts/0 00:00:00 unit: main v1.29.0 > [/usr/sbin/unitd --user mike --group users --no-daemon] > mike 16073 16071 0 13:01 pts/0 00:00:00 unit: controller > mike 16074 16071 0 13:01 pts/0 00:00:00 unit: router Also, I just committed the conf.d file and updated the ebuild to support it
If you want to get in. When you added the nginx-unit user and group instead of the default "nobody" you were allowed to do the usual work of separating permissions, such as adding a single user (running the user's application through this software) to the nginx-unit group or using this group to provide direct access to the system and etc. The main process is always started from the root, yes. Please see "Unit's Process Summary" table at https://unit.nginx.org/howto/security/#sec-processes to understand what other unit's subprocesses are and how command line options affect them. In your "Running Manually:" example, the processes "unit: controller" and "unit: router" are running under the specified user (and group) "mike". I saw changes in conf.d (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cb867db04d4061168de5d84bb2c8fed834b8274). For simplicity and clearly understanding, I would recommend using in the default conf the user and group that we have already compiled into the this server. That is: # non-privileged processes to run as specified user #NXT_USER="nginx-unit" # non-privileged processes to run as specified group #NXT_GROUP="nginx-unit" Thank you.
(In reply to Vladimir Varlamov from comment #9) > If you want to get in. When you added the nginx-unit user and group instead > of the default "nobody" you were allowed to do the usual work of separating > permissions, such as adding a single user (running the user's application > through this software) to the nginx-unit group or using this group to > provide direct access to the system and etc. > > The main process is always started from the root, yes. > Please see "Unit's Process Summary" table at > https://unit.nginx.org/howto/security/#sec-processes to understand what > other unit's subprocesses are and how command line options affect them. > > In your "Running Manually:" example, the processes "unit: controller" and > "unit: router" are running under the specified user (and group) "mike". > > I saw changes in conf.d > (https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=1cb867db04d4061168de5d84bb2c8fed834b8274). > For simplicity and clearly understanding, I would recommend using in the > default conf the user and group that we have already compiled into the this > server. That is: > > # non-privileged processes to run as specified user > #NXT_USER="nginx-unit" > > # non-privileged processes to run as specified group > #NXT_GROUP="nginx-unit" > > Thank you. Yes, thank-you, those default suggestions make sense, I'll make that change now.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af9772fe613cef0b0f191071c1ecec95d9fa4ff1 commit af9772fe613cef0b0f191071c1ecec95d9fa4ff1 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2023-02-28 21:11:22 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2023-02-28 21:12:27 +0000 www-servers/nginx-unit: Change default user and group appropiate Big thanks to Vladimir Varlamov for their assistance on these recent user and group changes to nginx-unit Bug: https://bugs.gentoo.org/894778 Signed-off-by: Mike Pagano <mpagano@gentoo.org> www-servers/nginx-unit/files/nginx-unit.confd | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
Great. Thank you! I correctly understood that you are preparing changes in nginx-unit.initd-r1 corresponding to the conf.d file?.. It seems that you missed this moment)
(In reply to Vladimir Varlamov from comment #12) > Great. Thank you! > I correctly understood that you are preparing changes in nginx-unit.initd-r1 > corresponding to the conf.d file?.. It seems that you missed this moment) Can you elaborate? For instance, if I change NXT_USER and NXT_GROUP in conf.d/nginx-unit, I see the process is started and owned properly
1. init.d: Settings from conf file are not applied as they should. There are no corresponding commands in nginx-unit.initd-r1 to apply all settings from the new conf file. As a result, the startup script should execute: `unitd --user $NGX_USER --group $NGX_GROUP (...etc other setting from conf)` 2. Security. the /var/lib/nginx-unit directory must be from the root user. Now `start_pre() {}` does something extra
(In reply to Vladimir Varlamov from comment #14) > 1. init.d: Settings from conf file are not applied as they should. There are > no corresponding commands in nginx-unit.initd-r1 to apply all settings from > the new conf file. > As a result, the startup script should execute: `unitd --user $NGX_USER > --group $NGX_GROUP (...etc other setting from conf)` > > 2. Security. the /var/lib/nginx-unit directory must be from the root user. > Now `start_pre() {}` does something extra Thank-you. Can you sync and take another look ?
(In reply to Mike Pagano from comment #15) > (In reply to Vladimir Varlamov from comment #14) > > 1. init.d: Settings from conf file are not applied as they should. There are > > no corresponding commands in nginx-unit.initd-r1 to apply all settings from > > the new conf file. > > As a result, the startup script should execute: `unitd --user $NGX_USER > > --group $NGX_GROUP (...etc other setting from conf)` > > > > 2. Security. the /var/lib/nginx-unit directory must be from the root user. > > Now `start_pre() {}` does something extra > > Thank-you. Can you sync and take another look ? Ok, I think I did everything you mentioned and bumped nginx-unit to 1.29.1.
typo in nginx-unit.initd-r1 line 12 ---NXT_MODULES=${NXT_LOG:-/usr/lib64/nginx-unit} +++NXT_MODULES=${NXT_MODULES:-/usr/lib64/nginx-unit}
(In reply to Vladimir Varlamov from comment #17) > typo in nginx-unit.initd-r1 > line 12 > ---NXT_MODULES=${NXT_LOG:-/usr/lib64/nginx-unit} > +++NXT_MODULES=${NXT_MODULES:-/usr/lib64/nginx-unit} Nice catch. Fixed.
(In reply to Mike Pagano from comment #18) > (In reply to Vladimir Varlamov from comment #17) > > typo in nginx-unit.initd-r1 > > line 12 > > ---NXT_MODULES=${NXT_LOG:-/usr/lib64/nginx-unit} > > +++NXT_MODULES=${NXT_MODULES:-/usr/lib64/nginx-unit} > > Nice catch. Fixed. Vlad, are we good?
Now everything is fine. Thank you for your work!
(In reply to Vladimir Varlamov from comment #20) > Now everything is fine. Thank you for your work! Thank-you ! Could not have done this properly without you.
