I have a weird issue I can't seem to figure out.
I am using OpenResty. The way it should work on that particular server is that the whole configuration and Lua scripts and everything comes from a Git repo. The ubuntu user should manage the repository and OpenResty's workers should run as www-data (I've set user www-data www-data; in the config). I'm using Ubuntu 22.04.
The repository is located at /home/ubuntu/app/my-project and acts as prefix for OpenResty.
It seems however like the worker processes can't access anything in that directory (the main process can). The Lua files are not executed (there is no error about that either, though), some config values seem to be ignored, and I get "error 13: permission denied" when trying to write into temp/client_body/... and also when reading from html/index.html and such:
open() "/home/ubuntu/app/my-project/temp/client_body/0000093402" failed (13: Permission denied) All the files and directories within the project are set to group www-data, and the temp directory which holds client_body and such even has an owner of www-data, and the read/write permissions are set correctly. When I do sudo -u www-data bash, I can read and write there just fine, but when the OpenResty worker process does that, it gets "permission denied" nonetheless.
The client_body directory was even auto-created by OpenResty and looks like this:
drwx------ 2 www-data root 4096 Dec 4 18:49 client_body My first thought was that ProtectHome could be an issue, but I would have expected that to interfere also with the master process and not just the workers, plus I did set that to false already.
I added an access_by_lua_block in which I run id and log its output, and I get, as expected, this:
uid=33(www-data) gid=33(www-data) groups=33(www-data) Interestingly though, if I use /usr/local/openresty/nginx as prefix path, everything works. (But I would prefer to have the Git repo in /home/ubuntu/app/my-project...) Also, if I configure OpenResty to run as user ubuntu and not www-data, it works too.
I am at the end of my knowledge here. What else could be wrong?
For the record, this is my openresty.service file:
[Unit] Description=The OpenResty Application Platform After=syslog.target network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] WorkingDirectory=/home/ubuntu/app/my-project Type=forking PIDFile=/home/ubuntu/app/my-project/logs/nginx.pid ExecStartPre=/usr/local/openresty/nginx/sbin/nginx -t -q -g 'daemon on; master_process on;' -p /home/ubuntu/app/my-project ExecStart=/usr/local/openresty/nginx/sbin/nginx -g 'daemon on; master_process on;' -p /home/ubuntu/app/my-project ExecReload=/usr/local/openresty/nginx/sbin/nginx -g 'daemon on; master_process on;' -s reload -p /home/ubuntu/app/my-project ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /home/ubuntu/app/my-project/logs/nginx.pid TimeoutStopSec=5 KillMode=mixed ProtectHome=false [Install] WantedBy=multi-user.target Note: The answers to this question suggested it could be an SELinux issue, however sudo sestatus outputs SELinux status: disabled for me (and trying to run sudo semanage permissive -a httpd_t anyway results in an error that the policy isn't managed, as expected).
