nginx降权:使用普通用户启动Nginx(监牢模式)
1. 为什么要让nginx服务使用普通用户
默认情况下,nginx的master进程使用的是root用户,worker进程使用的是nginx指定的普通用户,使用root用户跑nginx的master进程有两个大问题:
(1)管理权限必须是root,这就使得最小化分配权限原则遇到问题
(2)使用root跑nginx服务,一旦网站出现漏洞,用户就可以很容易获得服务器的root权限
2. 给nginx服务降权的解决方案
(1)给nginx服务降权,用inca用户跑nginx服务,给开发及运维人员设置普通账号,只要与inca同组即可管理nginx
(2)开发人员使用普通账户即可管理nginx服务及站点下的程序和日志
(3)采取项目负责制,即谁负责项目维护,出现问题就是谁负责
操作如下:
[root@localhost nginx]# ps -elf | grep nginx | grep -v grep
1 S root 5668 1 0 80 0 - 5116 rt_sig 09:50 ? 00:00:00 nginx: master process nginx
5 S nginx 5669 5668 0 80 0 - 5227 ep_pol 09:50 ? 00:00:00 nginx: worker process
[root@localhost nginx-1.6.0]# nginx -h
nginx version: nginx/1.6.0
Usage: nginx [-?hvVtq] [-s signal] [-c filename] [-p prefix] [-g directives]
Options:
-?,-h : this help
-v : show version and exit
-V : show version and configure options then exit
-t : test configuration and exit
-q : suppress non-error messages during configuration testing
-s signal : send signal to a master process: stop, quit, reopen, reload
-p prefix : set prefix path (default: /usr/local/nginx/)
-c filename : set configuration file (default: conf/nginx.conf)
-g directives : set global directives out of configuration file
[root@localhost nginx-1.6.0]# useradd inca
[root@localhost nginx-1.6.0]# su - inca
[inca@localhost ~]$ pwd
/home/inca
[inca@localhost ~]$ mkdir conf logs www
[inca@localhost ~]$ cp /usr/local/nginx/conf/mime.types /home/inca/conf/
[inca@localhost ~]$ echo inca >www/index.html
[inca@localhost ~]$ ls
conf logs www
[inca@localhost ~]$ ls conf/
mime.types
[inca@localhost ~]$ cp /usr/local/nginx/conf/nginx.conf /home/inca/conf/nginx.conf
[inca@localhost ~]$ vim conf/nginx.conf
#user nobody;
worker_processes 4;
worker_cpu_affinity 0001 0010 0100 1000;
worker_rlimit_nofile 65535;
error_log /home/inca/logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
user inca inca;
pid /home/inca/logs/nginx.pid;
events {
use epoll;
worker_connections 10240;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 8080;
server_name www.baidu.com;
root /home/inca/www;
#charset koi8-r;
access_log /home/inca/logs/access.log main;
location / {
index index.html index.htm;
}
} //下面不变
此处:所有参数的值,带路径的都要改成/home/inca
特权用户root使用的是80端口,改为普通用户使用的端口,在1024以上,改为8080
启动nginx 验证
[inca@localhost ~]$ /usr/local/nginx/sbin/nginx -c /home/inca/conf/nginx.conf &>/dev/null &
[1] 7168
[inca@localhost ~]$ ps -ef | grep nginx | grep -v grep
inca 7169 1 1 21:24 ? 00:00:00 nginx: master process /usr/local/nginx/sbin/nginx -c /home/inca/conf/nginx.conf
inca 7170 7169 0 21:24 ? 00:00:00 nginx: worker process
inca 7171 7169 0 21:24 ? 00:00:00 nginx: worker process
inca 7172 7169 0 21:24 ? 00:00:00 nginx: worker process
inca 7173 7169 0 21:24 ? 00:00:00 nginx: worker process
[1]+ Done /usr/local/nginx/sbin/nginx -c /home/inca/conf/nginx.conf &>/dev/null
[comm@www ~]$ curl -I 192.168.1.22:8080
HTTP/1.1 200 OK
Server: nginx/1.11.5
Date: Sat, 27 Oct 2018 03:57:33 GMT
Content-Type: text/html
Content-Length: 5
Last-Modified: Sat, 27 Oct 2018 03:46:32 GMT
Connection: keep-alive
ETag: "5bd3df98-5"
Accept-Ranges: bytes