nginx.pre-install needs additional permissions for fastcgi buffer overflow writes
Issue
Incorrect permissions for writing to tmp directory in /var/lib/nginx/tmp
on request buffer overflow.
Expected
When buffer exceeds the default buffer size Nginx is expected to temporarily write buffer overflow to /var/lib/nginx/tmp
until enough of the buffer frees up to handle the rest of the request.
Actual
Due to the permissions on /var/lib/nginx/tmp
the www-data group does not have permissions to write to the Nginx group owned /var/lib/nginx/tmp
folder. This means that when the buffer overflows, write access to the tmp
directory gets denied which results in the buffer being cut off and Nginx serving a 502.
Workaround
There were 2 workarounds that we came up with although ultimately settled on this:
addgroup www-data nginx && chmod 750 /var/lib/nginx/tmp
as it was the most concise.
Our other workaround:
chown :www-data /var/lib/nginx /var/lib/nginx/tmp && chmod 750 /var/lib/nginx/tmp
would also work and might make more sense as the nginx
group isn't the group writing to these files, www-data
is. This might alleviate some security concerns that might arise with adding www-data
to the nginx
group.
Increasing the buffer size will temporarily solve the issue, but is not a viable long term solution.