Paulon8080
Posts: 74
Joined: Wed Jan 04, 2017 12:15 pm

nginx html file permissions

Sun Jul 28, 2019 5:43 pm

Hi all,

I'm trying to edit nginx html page using:

Code: Select all

sudo echo "<h1>HelloTest</h1>" > /usr/share/nginx/html/index/html
However I get:

Code: Select all

bash: /usr/share/nginx/html/index.html: Permission denied
If anyone has any suggestions, please let me know!

Andyroo

Re: nginx html file permissions

Sun Jul 28, 2019 5:55 pm

I would use

Code: Select all

sudo nano /usr/share/nginx/html/index.html
to be honest but if you want to use echo:

Code: Select all

echo '<h1>HelloTest</h1>' | sudo tee -a /usr/share/nginx/html/index.html > /dev/null
Technically this will append to the end of the file if it exists (drop the -a to replace).
The last part ('> /dev/null') just stops it being echoed to the screen.

Paulon8080
Posts: 74
Joined: Wed Jan 04, 2017 12:15 pm

Re: nginx html file permissions

Mon Jul 29, 2019 8:35 am

Hey Andyroo,

Thanks for taking the time to reply.

Working perfect now!

Much appreciated,

Paul

tpyo kingg
Posts: 628
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: nginx html file permissions

Mon Jul 29, 2019 8:58 am

Or if you are going to be editing the files more than occasionally, you can change the ownership of the directory and its contents. If the machine is used by just the account "pi" then the change is simple:

Code: Select all

sudo chown -R pi:pi /usr/share/nginx/html/
If you have other accounts on that machine or your have a CMS which is using its own accounts also then the solution is a little more complex.

Andyroo

Re: nginx html file permissions

Mon Jul 29, 2019 11:00 am

I would actually make the Pi user a member of the www-data group. That way security on the folders is maintained for the web services and no clashes are created for other web application software suddenly hitting the Pi ownership.

Once broke a IIS server by trying to get it to run as a different user :lol:

tpyo kingg
Posts: 628
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: nginx html file permissions

Thu Aug 01, 2019 6:55 am

Andyroo wrote:
Mon Jul 29, 2019 11:00 am
I would actually make the Pi user a member of the www-data group. That way security on the folders is maintained for the web services and no clashes are created for other web application software suddenly hitting the Pi ownership.
That is incorrect on all counts. Please read up on "privilege separation" and "least privilege". The www-data account and group exist only to provide an unprivileged account for the HTTP daemon. No accounts should be within the www-data group except the www-data account itself. The www-data account itself must have only read-only access to the web pages and it must stay that way to maintain the security of the folders/directories. In the rare edge cases (usually involving dodgy Content Management Systems) where some directories must be written in by scripts, then it is just as essential to ensure that those writable directories are not within the document root in any way.

Again, as mentioned earlier, if "pi" is the only real user on the system then changing ownership of the web pages' directories works. If more that one account needs to share acces then it is necessary to make an additional group just for that purpose and use that. Either way it is essential to leave the www-data group unmodified.

Andyroo

Re: nginx html file permissions

Thu Aug 01, 2019 12:18 pm

Have to disagree - you cannot get reverse security rights i.e. the www-data group members cannot get access to other objects by the Pi user being a member but the Pi user can then operate easily within the web site files. It does technically increase the risk to the www-data owned objects as sudo is no longer required BUT in the case of the Pi boards as no password is required for sudo then this risk is present anyway.

But rather than turn this into an argument shall we agree to differ?

tpyo kingg
Posts: 628
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: nginx html file permissions

Thu Aug 01, 2019 2:04 pm

Don't take it wrong. Messing with www-data is a surprisingly common error that weakens defense in depth and is not a matter of system administration style. Access to other objects owned by the "pi" account is not in question. The goal is to prevent the web server itself from writing its own pages, or its own scripts, in the event of a compromise.

Start with the fact the HTTP daemon needs only read access to the files being served up whereas the account "pi" needs both read and write access to the files served. See that after nginx uses root to bind to port 80 (and 443 if needed) it drops to a specified user (and group) that needs to have read access to the files yet at the same time needs to not have write access:

Code: Select all

$ grep -E 'user|group' /etc/nginx/nginx.conf 
user www-data;

$ sudo netstat -ntlp | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1198/nginx: master  
tcp6       0      0 :::80                   :::*                    LISTEN      1198/nginx: master  

$ ps -axf -o ppid,pid,user,group,args | sed -n '1p; / sed /d; /nginx/p;'
 PPID   PID USER     GROUP    COMMAND
    1  1198 root     root     nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
 1198  1199 www-data www-data  \_ nginx: worker process
 1198  1200 www-data www-data  \_ nginx: worker process
 1198  1201 www-data www-data  \_ nginx: worker process
 1198  1202 www-data www-data  \_ nginx: worker process
You can see that if the web pages end up writable by the group www-data the web server could rewrite them, in principle. That becomes a problem for the Raspberry Pi's owner in the case of static pages. It becomes a serious problem that includes the rest of us on the net once scripts like PHP, Python, or Perl come into the picture. If one follows the principle of Least Privilege, where a task is given the least amount of access needed to get the work done, then the HTTP daemon should not have write access to any of the files that are being served up. Simply changing owner of the directory /usr/share/nginx/html/ to the account "pi" solves the question of write access for "pi" while not adding it to the HTTP daemon.

Andyroo

Re: nginx html file permissions

Thu Aug 01, 2019 5:30 pm

No argument over that but surely as part of go live you check permissions are set correctly (unless it’s WP :lol: )?

Maybe folk miss this step?

geev03
Posts: 131
Joined: Thu Jun 07, 2012 12:40 pm
Location: London, UK

Re: nginx html file permissions

Wed Aug 07, 2019 4:57 pm

This is from an Alpine Linux aarch64 on RPi3B.

Code: Select all

localhost:/# uname -a
Linux localhost 4.19.58-0-rpi #1-Alpine SMP PREEMPT Thu Jul 11 08:47:35 UTC 2019 aarch64 Linux
localhost:/# free -m
              total        used        free      shared  buff/cache   available
Mem:            918          49         790          36          78         834
Swap:             0           0           0
localhost:/# df -m
Filesystem           1M-blocks      Used Available Use% Mounted on
devtmpfs                    10         0        10   0% /dev
shm                        459         0       459   0% /dev/shm
/dev/mmcblk0p1             970        65       905   7% /media/mmcblk0p1
tmpfs                      459        36       423   8% /
tmpfs                       92         0        92   0% /run
/dev/loop0                  24        24         0 100% /.modloop
localhost:/#


The attached picture is from a static webpage on the ngnix
Attachments
ngnix_staticpage_alpine64_rpi3b.jpg
ngnix_staticpage_alpine64_rpi3b.jpg (63.87 KiB) Viewed 350 times

Return to “Networking and servers”