Reading Time: 3 minutes
Many people get confused about user ownership of the nginx processes.
Most people believe that Nginx runs as Root (oh my god) and some others believe that Nginx runs entirely as nobody user.
Now, let’s do a distinction between the master and the workers processes.
The master process runs with the user used to launch the service. Typically root. Why root? Root is generally used in order to be able to bind sockets on ports number below 1024 (privileged ports). In fact unprivileged users cannot bind ports below 1024.
In general, master process has the following tasks (http://www.aosabook.org/en/nginx.html)
- reading and validating configuration
- creating, binding and closing sockets
- starting, terminating and maintaining the configured number of
- re-configuring without service interruption
- controlling non-stop binary upgrades (starting new binary and rolling back if necessary)
- re-opening log files
- compiling embedded Perl scripts
The fact that the master process starts as root is the result that you actually run with a root account (or otherwise you will have port binding problem). Potentially you could run it with a different user and configure your system to use a port number higher than 1024. This is simple as that.
Common usage anyway(in particular for reverse proxies) is to bind standard HTTP or HTTPS ports like port 80 and or 443. Wouldn’t make much sense to have a reverse proxy listening on custom ports. Can be done technically, doesn’t make much sense logically.
So, the gold rule here is that the master process belongs to the user which has started/spawned Nginx. Simple as that.
Child Process(es), workers
Child process(es), known as workers, are the actors which actually move your web services. While the master process is pretty much an orchestrator, the workers are the real hero here.
One gold rule of web servers is to grant the minimum access level required to the web server’s processes (yes, I am talking to you my developer friend which always uses a chmod 777 approach). Having said this, wouldn’t make much sense to run workers as root.
What is the risk? The risk is that if someone breaches your web application or your web server, doesn’t need to elevate its account since it is already root. Attackers cannot ask for more! They will love you (and no, they won’t have mercy for you!).
Now, the question is, which user is being used by workers?
The response is simple but a bit more complicated than it seems.
1. If nothing is specified at compile time (configure phase) and nothing is specified at configuration file level, then the used user is “nobody”
2. If a user (and optionally a group) is specified at compile time with the options –user and –group and nothing is specified in the config file, then the user specified during the build is used
3. If a user (and optionally a group) is specified in the config file, it will be used as owner of the spawned workers
In general, the priority is the following:
– Config file
– Default (nobody if not specified at compile time or the user name specified at compile time)
Note: A common pitfall for newcomers is to specify a user that do not exist (or “nobody” doesn’t exist). In this case, remember to add the user before you actually start nginx.
The way nginx operates is the following, on a typical real environment with 3 workers activated:
root 21279 0.0 0.0 109152 4136 ? Ss 14:37 0:00 nginx: master process /usr/sbin/nginx
nginx 21280 0.0 0.0 109588 5876 ? S 14:37 0:00 _ nginx: worker process
nginx 21281 0.0 0.0 109588 5876 ? S 14:37 0:00 _ nginx: worker process
nginx 21282 0.0 0.0 109588 5876 ? S 14:37 0:00 _ nginx: worker process
Useless to say, to check it, use the ps -auxf command.
root 21401 6.5 0.3 417676 24852 ? Ss 14:39 0:00 /usr/sbin/httpd -DFOREGROUND
apache 21410 0.5 0.1 690288 13748 ? Sl 14:39 0:00 _ /usr/sbin/httpd -DFOREGROUND
apache 21411 0.5 0.1 690288 13748 ? Sl 14:39 0:00 _ /usr/sbin/httpd -DFOREGROUND
apache 21412 0.5 0.1 690288 13748 ? Sl 14:39 0:00 _ /usr/sbin/httpd -DFOREGROUND
apache 21413 0.5 0.1 690288 13748 ? Sl 14:39 0:00 _ /usr/sbin/httpd -DFOREGROUND
apache 21414 0.5 0.1 419840 14584 ? S 14:39 0:00 _ /usr/sbin/httpd -DFOREGROUND
apache 21415 0.5 0.1 419840 14584 ? S 14:39 0:00 _ /usr/sbin/httpd -DFOREGROUND
apache 21416 0.5 0.1 419840 14584 ? S 14:39 0:00 _ /usr/sbin/httpd -DFOREGROUND
apache 21417 0.5 0.1 419840 14584 ? S 14:39 0:00 _ /usr/sbin/httpd -DFOREGROUND
apache 21418 0.5 0.1 419840 14584 ? S 14:39 0:00 _ /usr/sbin/httpd -DFOREGROUND