Nginx w/ basic auth fails due to permissions

[ed.n1n2]

Hello,

Running 5.9 with nginx installed. Runs just fine under normal conditions with root:www, but utterly refuses to load the basic auth file regardless of permissions.

I'm presented with the opportunity to log in with a test user name and password, but I'm presented with a 403 afterwards for all requests. Looking in the errors log I find:

Code:

[error] 28120#0: *1 open() "/etc/nginx/auth_acs" failed (2: No such file or directory), client: 10.0.0.50, server: 10.0.0.2, request: "GET /gs/index.html HTTP/1.1", host: "10.0.0.2"

In my location directive I have some basic limitations by IP address (working just fine), and then two lines for the auth:

Code:

auth_basic           "Dev ACS Server";
auth_basic_user_file auth_acs;

The auth_acs file was populated with openssl passwd (w and w/o -apr1), as well as htpasswd, with no differences in 403 responses.

Permissions:

Code:

drwxr-xr-x  26 root    wheel    2.0K Jun 21 19:05 etc
drwxrwxr-x   2 root  www         512B Jun 22 14:49 nginx
-rwxrwxrwx   1 root  www     209B Jun 22 15:00 auth_acs

The moment I comment out the auth directives, everything is working again just fine. It seems that nginx cannot load the password file, even with that password file having 777 permissions.

While it's a very bad idea, I can't even change the user name of the nginx process to root to see if it work. Nginx refuses to start with it, which is probably a good thing.

Any advice on getting HTTP auth up and running?

[jggimi]

I will guess you are running nginx chrooted, because that is the default configuration, and is likely why you are unable to reach the file. The default will not permit nginx to reach any file outside of the /var/www directory structure.

See the '-u' option in the nginx(8) man page to disable this security feature and permit nginx to access all filesystems.

---

Edited to add: if instead you operate nginx chrooted with all files inside /var/www, you will prevent a compromised webserver from reaching the rest of your data.

[ed.n1n2]

Well, that's the only thing that has worked. Is that my only option?

Full paths don't seem to work either, even to a file that exists within the chroot '/var/www'. Is that a limitation of the auth directive itself? It doesn't matter what you put there, it will prefix '/etc/nginx/' to it. Using the following still gives the load error, even though the path works otherwise:

Code:

/etc/nginx/../../var/www/conf/auth_acs

It's very weird that nginx demands a security file be placed outside of the chroot that its worker process accesses.

Do you think this is a bug, or that I'm just misconfiguring nginx?

[TronDD]

When a program is run in a chroot, that directory becomes / to that program. So if nginx in chrooted into /var/www, all nginx sees is /. So your path in the nginx config can't include /var/www/something. It has to be just /something.

So if nginx looks at a hardcoded path of /etc/nginx/conf/auth_acs then you have to put the file in /var/www/etc/nginx/conf/auth_acs for nginx to find it in the chroot.

Disclaimer: I don't use nginx, I'm assuming nginx needs to access this file from inside the chroot and it doesn't have a helper process outside passing things in nor reads the file before chrooting.

Tim.

[ed.n1n2]

@TronDD

There is no way to load the password file from within the chroot.

Here's the part you're missing:

Code:

/etc/nginx/conf/auth_acs

I never added the '/etc/nginx/'. See the configuration lines above. It will always add that to whatever I create. So whatever paths I put in the configuration file, even to a file within the chroot, become mangled with that prefixed "crap".

If I put the password file in '/var/www/conf/', there is no way to fool the configuration line into loading it. Using '../../var/www' can't work to escape out of the '/etc/nginx' back to root and then back into the chroot directory '/var/www/'.

If nginx would stop prefixing the path this might have a chance at working.

If I put the file where you suggest, then the configuration line will be mangled into this non-working line:

Code:

/etc/nginx/var/www/etc/nginx/conf/auth_acs

The problem is that nginx put a non-working path in. How the heck could basic auth ever work without disabling chroot?

[jggimi]

Disclaimer: I use nginx, but not with auth.

The application begins with an unchrooted process, in order to read its configuration file. It then starts chrooted operational processes.

If the chrooted processes need to find the specific path /etc/nginx/conf/auth_acs, the path must actually be /var/www/etc/nginx/conf/auth_acs due to the chroot resolution.

You can't use symbolic links back to /etc; the chrooted process has no access to any paths outside /var/www, which it sees as "/" as trondd noted above.

[ed.n1n2]

Thank you, it's up and running now.

I needed to take the -u flag out of the init script (I had forgotten it there), make /var/www/etc/nginx with correct permissions, and have the just the filename in the configuration file.

On another note, openssl did not seem to generate working passwords, but htpasswd did.

Thanks again, guys.