Thanks for the bug report.  Web servers in Mageia are supposed to use the apache user created by the webserver-base package (which they then need to Require).  This package should not be using an "nginx" user.  See the lighttpd package for an example of how it should be done.

Thanks for your explanation David.
@Muhammad : thank you for finding this flaw; and sorry for the angst. Have/hed you installed the package 'webserver-base'? And followed the advice above "See the lighttpd package for an example of how it should be done"?

It looks as if nginx (alone of the various web servers) does not currently require 'webserver-base':
 $ urpmq --requires nginx | grep webserver
[nothing]
Conversely, 'webserver-base' is not required by nginx:
 $ urpmq --whatrequires webserver-base | uniq
 apache
 hiawatha
 lighttpd
& more, but *not* nginx. Alternatively:
 $ urpmq --whatrequires webserver-base | grep nginx
[nothing]

Assuming this is a missing requires, assigning to Stig who is the active maintainer.

Summary: Nginx does not run as apache user => Nginx does not run as apache user (missing requires for webserver-base)
Assignee: bugsquad => smelror
Source RPM: (none) => nginx-1.16.1-1.mga7.src.rpm
Severity: critical => major

It's not just that the Requires are missing, the package needs to be configured to use the apache user and not create/use an nginx user.  That's something that the nginx packager needs to do, not the user(s) of the package.

As for whether we should do this change for Mageia 7, it's debatable.  It would make new deployments a lot easier, but would be disruptive for existing deployments.  For whichever Mageia release it's done, a note should be added to the Release Notes about this.  I'll let the maintainer decide whether to fix this for Mageia 7 or just for Mageia 8.

I've just pushed an update for MGA7 with webserver-base in Requires.

When it comes to configuring nginx to use the apache user/group and doing this for MGA7, I agree with the expert opinion of David.

I, personally, would do this change. I am, however, quite haphazard and that's why I rely on his advice.

I'll look into doing the switch on Cauldron and take it from there.


Cheers,
Stig

Simply requiring webserver-base without configuring the package to use the apache user serves no purpose and accomplishes nothing.  To actually fix this you'll have to also change line 1 of the SPEC to:
%define nginx_user apache

I'm guessing you'll also need a Requires(pre): webserver-base, and you'll need to remove the %pre/%postun scriplets that are currently in the nginx package (creating and deleting the user, which will be handled in webserver-base).  The service scriplets in %post and %preun will need to be changed to have %{name} rather than %{nginx_user} as the argument.

Hi,

This is release_blocker for a reason.
Making Mageia even better than ever is best direction.
In order to do right thing, this bug should be examined and fixed as soon as possible.

Packagers, please change the status to "Assigned" when you are working on this.


We will make a decision on the relevance of the release_blocker tag on 1st October 2020 QA meeting.

Assigning to Guillaume to look for this as he did a recent commit on this package.
Please assign back if not for you.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
CC: (none) => smelror
Assignee: smelror => guillomovitch

I just pushed a new release, switching to apache user.

Fantastic, thank you Guillaume!

Fixed in nginx-1.18.0-4.mga8.

Before we close this bug, this is something that should really be documented in the Mageia 8 release notes.

(In reply to David Walser from comment #9)
> Fantastic, thank you Guillaume!
> 
> Fixed in nginx-1.18.0-4.mga8.
> 
> Before we close this bug, this is something that should really be documented
> in the Mageia 8 release notes.


https://wiki.mageia.org/en/Mageia_8_Release_Notes#Server_applications

Done.
Closing.

Status: NEW => RESOLVED
CC: (none) => ouaurelien
Resolution: (none) => FIXED