Bug 26183 - Nginx does not run as apache user (missing requires for webserver-base)
Summary: Nginx does not run as apache user (missing requires for webserver-base)
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: release_blocker major
Target Milestone: Mageia 8
Assignee: Stig-Ørjan Smelror
QA Contact:
Depends on:
Reported: 2020-02-11 15:08 CET by Muhammad Tailounie
Modified: 2020-07-21 18:11 CEST (History)
0 users

See Also:
Source RPM: nginx-1.18.0-2.mga8.src.rpm
Status comment:


Description Muhammad Tailounie 2020-02-11 15:08:59 CET
Installing Nginx as a webserver creates many problems. php-fpm must be reconfigured to use the nginx user, socket files, roundcubemail, log files...etc all use the apache user/group.

If everything is modified to use nginx any update of a concerned package would break the configuration again.
Muhammad Tailounie 2020-02-11 15:09:29 CET

Priority: Normal => High
Severity: normal => critical

Comment 1 David Walser 2020-02-11 16:48:08 CET
Thanks for the bug report.  Web servers in Mageia are supposed to use the apache user created by the webserver-base package (which they then need to Require).  This package should not be using an "nginx" user.  See the lighttpd package for an example of how it should be done.
Comment 2 Lewis Smith 2020-02-11 20:34:37 CET
Thanks for your explanation David.
@Muhammad : thank you for finding this flaw; and sorry for the angst. Have/hed you installed the package 'webserver-base'? And followed the advice above "See the lighttpd package for an example of how it should be done"?

It looks as if nginx (alone of the various web servers) does not currently require 'webserver-base':
 $ urpmq --requires nginx | grep webserver
Conversely, 'webserver-base' is not required by nginx:
 $ urpmq --whatrequires webserver-base | uniq
& more, but *not* nginx. Alternatively:
 $ urpmq --whatrequires webserver-base | grep nginx

Assuming this is a missing requires, assigning to Stig who is the active maintainer.

Severity: critical => major
Summary: Nginx does not run as apache user => Nginx does not run as apache user (missing requires for webserver-base)
Source RPM: (none) => nginx-1.16.1-1.mga7.src.rpm
Assignee: bugsquad => smelror

Comment 3 David Walser 2020-02-11 20:52:54 CET
It's not just that the Requires are missing, the package needs to be configured to use the apache user and not create/use an nginx user.  That's something that the nginx packager needs to do, not the user(s) of the package.

As for whether we should do this change for Mageia 7, it's debatable.  It would make new deployments a lot easier, but would be disruptive for existing deployments.  For whichever Mageia release it's done, a note should be added to the Release Notes about this.  I'll let the maintainer decide whether to fix this for Mageia 7 or just for Mageia 8.
Comment 4 Stig-Ørjan Smelror 2020-02-11 21:02:05 CET
I've just pushed an update for MGA7 with webserver-base in Requires.

When it comes to configuring nginx to use the apache user/group and doing this for MGA7, I agree with the expert opinion of David.

I, personally, would do this change. I am, however, quite haphazard and that's why I rely on his advice.

I'll look into doing the switch on Cauldron and take it from there.

Comment 5 David Walser 2020-02-11 22:02:52 CET
Simply requiring webserver-base without configuring the package to use the apache user serves no purpose and accomplishes nothing.  To actually fix this you'll have to also change line 1 of the SPEC to:
%define nginx_user apache

I'm guessing you'll also need a Requires(pre): webserver-base, and you'll need to remove the %pre/%postun scriplets that are currently in the nginx package (creating and deleting the user, which will be handled in webserver-base).  The service scriplets in %post and %preun will need to be changed to have %{name} rather than %{nginx_user} as the argument.
David Walser 2020-07-21 18:11:07 CEST

Priority: High => release_blocker
Version: 7 => Cauldron
Target Milestone: --- => Mageia 8
Source RPM: nginx-1.16.1-1.mga7.src.rpm => nginx-1.18.0-2.mga8.src.rpm

Note You need to log in before you can comment on or make changes to this bug.