On Do, 21.04.22 06:36, Mantas Mikulėnas (grawity@xxxxxxxxx) wrote: > > That said, are you sure you need to run the nginx binary as root? My > > suspicion is that it would be much nixer if nginx would be fixed to > > just be able to be invoked unprivileged (or at worst, with some very > > limited ambient caps, such as CAP_NET_BIND_SERVICE). > > > > Hmm, on the other hand: if nginx starts unprivileged and its log files (and > TLS certificate files, and config files) are owned by www-data... and your > webapps (e.g. php-fpm) are also running as www-data (as is very common), > then an exploitable webapp could do a bit more damage than if the > certs&logs were only accessible to root, e.g. they could scribble all over > your past logs now. > > I usually don't mind services like httpd or postfix dropping privileges on > their own because they can be more flexible about it, e.g. use different > UIDs for different purposes. Well, things like postfix kinda replicate their own service manager. I have the suspicion it would be better to just leave that to systemd... Lennart -- Lennart Poettering, Berlin