On Mi, 20.04.22 22:18, Andrea Pappacoda (andrea@xxxxxxxxxxxx) wrote: > Hi! I've been playing around with various options documented in > systemd.exec(5) recently, and I'm having an issue with `LogsDirectory=` and > its permissions. > > In particular, I've tried setting `LogsDirectory=nginx` for nginx.service, > but it is now unable to write to the logs. This is because the nginx service > is started as root, and then drops its privileges to www-data (as I'm on > Debian). systemd can't know this, and chowns the /var/log/nginx directory to > root:root, making it impossible for nginx threads spawned as www-data to > write to them. It was previously set to www-data:adm > > Is it possible to specify the owner and group of the `LogsDirectory` (or of > any other directory specified by similar options)? Yes, use User=www-data + Group=www-data. And then use the "!" modifier in ExecStart= to tell systemd that even though the specified User=/Group= are the ones used by the service it should leave set setuid() call to be done by the daemon itself. If specified that way, systemd will invoke the main daemon binary as root:root. e.g. … [Service] ExecStart=!/usr/sbin/nginxd User=www-data Group=www-data LogsDirectory=nginx … That said, are you sure you need to run the nginx binary as root? My suspicion is that it would be much nixer if nginx would be fixed to just be able to be invoked unprivileged (or at worst, with some very limited ambient caps, such as CAP_NET_BIND_SERVICE). Lennart -- Lennart Poettering, Berlin