From ba50a7a3f1cca2ce189da1069a672fa72927bd94 Mon Sep 17 00:00:00 2001 From: Niklas Hambüchen Date: Sat, 11 Apr 2020 02:57:15 +0200 Subject: release notes: Explain how to run nginx master as root. Fixes #84391 --- nixos/doc/manual/release-notes/rl-2003.xml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'nixos/doc/manual') diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml index f09fb3255d84..28990517da84 100644 --- a/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixos/doc/manual/release-notes/rl-2003.xml @@ -809,7 +809,8 @@ auth required pam_succeed_if.so uid >= 1000 quiet The nginx web server previously started its master process as root - privileged, then ran worker processes as a less privileged identity user. + privileged, then ran worker processes as a less privileged identity user + (the nginx user). This was changed to start all of nginx as a less privileged user (defined by services.nginx.user and services.nginx.group). As a consequence, all files that @@ -817,6 +818,13 @@ auth required pam_succeed_if.so uid >= 1000 quiet certificates and keys, etc.) must now be readable by this less privileged user/group. + + To continue to use the old approach, you can configure: + +services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};''; +systemd.services.nginx.serviceConfig.User = lib.mkForce "root"; + + -- cgit 1.4.1