关于nginx启动脚本的为什么需要root权限的问题

2021年12月4日09:58:25

 

今天在梳理线上安全问题的时候，发现给

/etc/systemd/system/nginx.service

 增加user 和group的时候发现，启动会报错

the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /usr/local/nginx/nginx.conf:1

 

[Unit]
Description=nginx
After=network.target
 
[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit
PrivateTmp=true

User=www
Group=www
[Install]
WantedBy=multi-user.target

在配置nginx.conf文件的

user  www;
worker_processes  1;

其实设置的是nginx的worker线程的用户是www，不是master进程

root     37796     1  0 09:50 ?        00:00:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/nginx.conf
www      37797 37796  0 09:50 ?        00:00:00 nginx: worker process
root     38546 38413  0 10:09 pts/1    00:00:00 grep --color=auto nginx

默认情况下Linux的1024以下端口是只有root用户才有权限占用，nginx一般使用80 443端口原因造成的

即使你在 nginx.service 指定了你的www用户，还是会报错，因为无法启动使用80 443端口

你只需要把

#User=www
#Group=www

注意掉就可以了，其他的服务基本直接加上就可以了，比如fpm es

注意：修改了.service之后需要执行 systemctl daemon-reload

es的启动脚本

[Service]
Type=notify
RuntimeDirectory=elasticsearch
PrivateTmp=true
Environment=ES_HOME=/usr/share/elasticsearch
Environment=ES_PATH_CONF=/etc/elasticsearch
Environment=PID_DIR=/var/run/elasticsearch
Environment=ES_SD_NOTIFY=true
EnvironmentFile=-/etc/sysconfig/elasticsearch

WorkingDirectory=/usr/share/elasticsearch

User=elasticsearch
Group=elasticsearch

ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid --quiet
# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# elasticsearch logging system is initialized. Elasticsearch
# stores its logs in /var/log/elasticsearch and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535

# Specifies the maximum number of processes
LimitNPROC=4096

# Specifies the maximum size of virtual memory
LimitAS=infinity

# Specifies the maximum file size
LimitFSIZE=infinity

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0

# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM

# Send the signal only to the JVM rather than its control group
KillMode=process

# Java process is never killed
SendSIGKILL=no

# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143

# Allow a slow startup before the systemd notifier module kicks in to extend the timeout
TimeoutStartSec=75

[Install]
WantedBy=multi-user.target

php-fpm的启动脚本

[Unit]
Description=php8-fpm
After=syslog.target network.target

[Service]
Type=simple
PIDFile=/usr/local/php8/php-fpm.pid
ExecStart=/usr/local/php8/sbin/php-fpm -c /usr/local/php8/etc/php.ini -y /usr/local/php8/etc/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID
ExecStop=/bin/kill -SIGINT $MAINPID
User=www
Group=www

[Install]
WantedBy=multi-user.target

 

其他解决办法

方法一：

所有用户都可以运行（因为是755权限，文件所有者：root，组所有者：root）

chown root.root ./nginx/
chmod 755 ./nginx/
chmod u+s ./nginx/

方法二：

仅 root 用户和 wyq 用户可以运行（因为是750权限，文件所有者：root，组所有者：www）

chown root.www ./nginx/
chmod 750 ./nginx/
chmod u+s ./nginx/