Bug 26183 - Nginx does not run as apache user (missing requires for webserver-base)
Summary: Nginx does not run as apache user (missing requires for webserver-base)
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: release_blocker major
Target Milestone: Mageia 8
Assignee: Guillaume Rousse
QA Contact:
URL:
Whiteboard:
Keywords: Triaged
Depends on:
Blocks:
 
Reported: 2020-02-11 15:08 CET by Muhammad Tailounie
Modified: 2020-10-30 19:39 CET (History)
2 users (show)

See Also:
Source RPM: nginx-1.18.0-2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description Muhammad Tailounie 2020-02-11 15:08:59 CET
Installing Nginx as a webserver creates many problems. php-fpm must be reconfigured to use the nginx user, socket files, roundcubemail, log files...etc all use the apache user/group.


If everything is modified to use nginx any update of a concerned package would break the configuration again.
Muhammad Tailounie 2020-02-11 15:09:29 CET

Severity: normal => critical
Priority: Normal => High

Comment 1 David Walser 2020-02-11 16:48:08 CET
Thanks for the bug report.  Web servers in Mageia are supposed to use the apache user created by the webserver-base package (which they then need to Require).  This package should not be using an "nginx" user.  See the lighttpd package for an example of how it should be done.
Comment 2 Lewis Smith 2020-02-11 20:34:37 CET
Thanks for your explanation David.
@Muhammad : thank you for finding this flaw; and sorry for the angst. Have/hed you installed the package 'webserver-base'? And followed the advice above "See the lighttpd package for an example of how it should be done"?

It looks as if nginx (alone of the various web servers) does not currently require 'webserver-base':
 $ urpmq --requires nginx | grep webserver
[nothing]
Conversely, 'webserver-base' is not required by nginx:
 $ urpmq --whatrequires webserver-base | uniq
 apache
 hiawatha
 lighttpd
& more, but *not* nginx. Alternatively:
 $ urpmq --whatrequires webserver-base | grep nginx
[nothing]

Assuming this is a missing requires, assigning to Stig who is the active maintainer.

Assignee: bugsquad => smelror
Source RPM: (none) => nginx-1.16.1-1.mga7.src.rpm
Summary: Nginx does not run as apache user => Nginx does not run as apache user (missing requires for webserver-base)
Severity: critical => major

Comment 3 David Walser 2020-02-11 20:52:54 CET
It's not just that the Requires are missing, the package needs to be configured to use the apache user and not create/use an nginx user.  That's something that the nginx packager needs to do, not the user(s) of the package.

As for whether we should do this change for Mageia 7, it's debatable.  It would make new deployments a lot easier, but would be disruptive for existing deployments.  For whichever Mageia release it's done, a note should be added to the Release Notes about this.  I'll let the maintainer decide whether to fix this for Mageia 7 or just for Mageia 8.
Comment 4 Stig-Ørjan Smelror 2020-02-11 21:02:05 CET
I've just pushed an update for MGA7 with webserver-base in Requires.

When it comes to configuring nginx to use the apache user/group and doing this for MGA7, I agree with the expert opinion of David.

I, personally, would do this change. I am, however, quite haphazard and that's why I rely on his advice.

I'll look into doing the switch on Cauldron and take it from there.


Cheers,
Stig
Comment 5 David Walser 2020-02-11 22:02:52 CET
Simply requiring webserver-base without configuring the package to use the apache user serves no purpose and accomplishes nothing.  To actually fix this you'll have to also change line 1 of the SPEC to:
%define nginx_user apache

I'm guessing you'll also need a Requires(pre): webserver-base, and you'll need to remove the %pre/%postun scriplets that are currently in the nginx package (creating and deleting the user, which will be handled in webserver-base).  The service scriplets in %post and %preun will need to be changed to have %{name} rather than %{nginx_user} as the argument.
David Walser 2020-07-21 18:11:07 CEST

Version: 7 => Cauldron
Source RPM: nginx-1.16.1-1.mga7.src.rpm => nginx-1.18.0-2.mga8.src.rpm
Target Milestone: --- => Mageia 8
Priority: High => release_blocker

Comment 6 Aurelien Oudelet 2020-09-19 18:03:35 CEST
Hi,

This is release_blocker for a reason.
Making Mageia even better than ever is best direction.
In order to do right thing, this bug should be examined and fixed as soon as possible.

Packagers, please change the status to "Assigned" when you are working on this.


We will make a decision on the relevance of the release_blocker tag on 1st October 2020 QA meeting.
Comment 7 Aurelien Oudelet 2020-10-25 17:54:19 CET
Assigning to Guillaume to look for this as he did a recent commit on this package.
Please assign back if not for you.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => smelror
Assignee: smelror => guillomovitch
Keywords: (none) => Triaged

David Walser 2020-10-28 00:40:29 CET

CC: (none) => luigiwalser

Comment 8 Guillaume Rousse 2020-10-30 19:36:23 CET
I just pushed a new release, switching to apache user.
Comment 9 David Walser 2020-10-30 19:39:01 CET
Fantastic, thank you Guillaume!

Fixed in nginx-1.18.0-4.mga8.

Before we close this bug, this is something that should really be documented in the Mageia 8 release notes.

Note You need to log in before you can comment on or make changes to this bug.