Join Log in
Score:0
Sylvester DeMouser avatar Server

Incorrect Permissions and Ownership in /etc/nginx/sites-available Folder for Containers

yt flag
Sylvester DeMouser

I seem to have encountered an issue with the default permissions and ownership of the containers within my /etc/nginx/sites-available directory. The current permissions and ownership structure appears to be off, and I'm concerned that it might not be set up correctly. Here's the listing of the directory contents:

@win11:/etc/nginx/sites-available$ ls -laX
total 40
-rwxr-xr-x 1 root root  453 May 18 11:16 beelink
-rwxr-xr-x 1 root root  453 May 18 11:16 debian
-rwxr-xr-x 1 root root 2412 May 18 11:16 default
-rwxr-xr-x 1 root root  475 May 18 11:16 github
-rwxr-xr-x 1 root root  453 May 18 11:16 htdocsh
-rwxr-xr-x 1 root root  453 May 18 11:16 htdocsl
-rwxr-xr-x 1 root root  478 May 18 11:16 portable
-rw-r--r-- 1 root root  664 Aug  6 04:17 wsldebian
drwxr-xr-x 2 root root 4096 Aug  8 02:33 .
drwxr-xr-x 8 root root 4096 May 19 04:41 ..
debian@win11:/etc/nginx/sites-available$

I wonder

  • 1.) why most of the CHMOD are the same but not all. Maybe that was extracted from an archive (.7z probably) come to think of it?
  • 2.) The advisory this one suggests that the owner should NOT be root, instead in this example, it should be debian:debian ? I suspect that the permissions and ownership might not be appropriately configured, and this could potentially lead to problems with my information technology systems in a business environment.

To address this issue, I would appreciate guidance on the correct permissions and ownership settings for the containers/folders within the /etc/nginx/sites-available folder. Additionally, any insights into why this issue might have occurred would be helpful. A link to the proper doc for the http server if it covers permissions.

Here's what I've tried so far: Research web sites like this one which provides useful information. Sadly I truly get lost trying to find the "correct" NGINX info. The site w/ the doc heirarchy tree on the right.

Thank you for your assistance. If you need any further information, please let me know.

What's shown is WSL, Debian on Windows 11, latest updates. I run basically the same thing on an MX-Linux 21 system. Just trying to get a better hold on correct config for NGINX. I learned some things this evening which made me realize it's pretty easy to use for fairly advanced operations.

40
2 + 2
Sylvester DeMouser avatar
yt flag
Sylvester DeMouser
I appreciate the commentary thus far. It lends insight, and insight is always helpful! I haven't tried the suggestions yet. Yes, as someone mentinoed, it IS a development server. In my poor way of inquiry (which actually was summarized first for me by ChatGPT before I revised it, because i suck at forums [ADHD], and ramble too much [clearly]) what are the "default" settings-- for instance-- if i had just installed Win11, then WSL > Debian, then NGINX w/ PHP and MariaDB. I realize I wont experience any "real" security issues, but for posterity; for interoperability: NPM; Composer
0
Reply
Sylvester DeMouser avatar
yt flag
Sylvester DeMouser
^[my comment above approx: August 12, 2023 13:40:00 EDT]^ That is to say, my setup works fine. I'd noticed the offset permissions and that kind of thing makes me curious: "why?" As I was authoring the question, it occurred to me that I'd probably extracted the /etc/nginx/sites* from a prev NGINX config i'd archived, which likely explains the file/ dir permissions I encountered. nevertheless, being "new" to NGINX, I'd like to have the set "correctly". RE: ^timestamp^ Today is the anniversary of #PhiladelphiaExperiment - the "20 year" point! Time travel, anyone? :)
0
Reply
Score:0
avatar Server
jp flag
AlexD

The files you listed in /etc/nginx/sites-available are Debian-style nginx configuration files for individual sites (virtual hosts) served by nginx. They are not publicly exposed website files so the recommendations about a separate website user don't apply to them. Ownership root:root and permissions 644 should work for them.

+ 1
Sylvester DeMouser avatar
yt flag
Sylvester DeMouser
Thanks for the feedback here. In retrospect, what I appear to be trying to learn here is probably regarding Composer. I'd been working with Laravel, and some tutorials where Composer is heavily involved (of course)... which becomes a debacle, if-- like me-- one doesn't realize it's normal to get the "your composer needs to be ^2.0" fuss. Regardless that [my commentary/ inquiry] doesn't make sense in the context of nginx perms. I dunno. Early onset dementia, most likely to be true. I believe the end is nigh. At least the end of any coding career... Thank you, ladies and gentlemen!
0
Reply
Score:0
avatar Server
ws flag
symcbean

Go read your article again. It is NOT an advisory. It talks about the permissions for the content files, and the advice given there is bad. Some websites (e.g. Wordpress) require the application user to have write permissions to large parts of the site. Unless you EXPLICITLY require this, it is bad for security.

There is no mention of configuration files.

If you are running nginx on ports 80 and/or 443 then (without a lot of configuration gymnastics) the service can only be started by the root user. i.e. only root needs to be able to read the files at runtime. In larger environments then you might have people with only limited access to the root acount (e.g. via sudo) but should have access to change the config files - in such a scenario then the ownership might be other than root:root and permissions might be slightly different.

I disagree with the comment by AlexD - placing a file outside the DocumentRoot has some benefit for security but there are stronger, supplementary measures. And the permissions not only "should work" but are actually much more appropriate.

Applying the principle of least privilege, and since the 'root' group only contains the 'root' user, your permissions are correct; only root can modify these files.

The execute bits are irrelevant to the configration files (but I would tidy them up).

+ 3
jp flag
AlexD
I don't understand what you are disagreeing about. Is there anything incorrect in my answer?
0
Reply
ws flag
symcbean
1) files outside documentRoot are "safe", 2) current permissions "should work" rather than are correct.
0
Reply
jp flag
AlexD
where did I make such statements as "files outside documentRoot are "safe"? 2) "should work" applies to the entire sentence, including ownership and it is unknown whether OP need group ownership or not.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.