nginx.pre-install needs additional permissions for fastcgi buffer overflow writes
Incorrect permissions for writing to tmp directory in
/var/lib/nginx/tmp on request buffer overflow.
When buffer exceeds the default buffer size Nginx is expected to temporarily write buffer overflow to
/var/lib/nginx/tmp until enough of the buffer frees up to handle the rest of the request.
Due to the permissions on
/var/lib/nginx/tmp the www-data group does not have permissions to write to the Nginx group owned
/var/lib/nginx/tmp folder. This means that when the buffer overflows, write access to the
tmp directory gets denied which results in the buffer being cut off and Nginx serving a 502.
There were 2 workarounds that we came up with although ultimately settled on this:
addgroup www-data nginx && chmod 750 /var/lib/nginx/tmp
as it was the most concise.
Our other workaround:
chown :www-data /var/lib/nginx /var/lib/nginx/tmp && chmod 750 /var/lib/nginx/tmp
would also work and might make more sense as the
nginx group isn't the group writing to these files,
www-data is. This might alleviate some security concerns that might arise with adding
www-data to the
Increasing the buffer size will temporarily solve the issue, but is not a viable long term solution.