关于nginx启动脚本的为什么需要root权限的问题2021年12⽉4⽇09:58:25
今天在梳理线上安全问题的时候,发现给
/etc/systemd/system/nginx.service
增加user 和group的时候发现,启动会报错
the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /usr/local/f:1
[Unit]
Description=nginx
After=network.target
[Service]
环保宣传语Type=forking
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/f
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit
PrivateTmp=true
User=www
Group=www
[Install]
春暖花开踏青的句子WantedBy=multi-user.target
在配置f⽂件的
user www;
worker_processes 1;
其实设置的是nginx的worker线程的⽤户是www,不是master进程
root 37796 1 0 09:50 ? 00:00:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/f
www 37797 37796 0 09:50 ? 00:00:00 nginx: worker process
root 38546 38413 0 10:09 pts/1 00:00:00 grep --color=auto nginx
默认情况下Linux的1024以下端⼝是只有root⽤户才有权限占⽤,nginx⼀般使⽤80 443端⼝原因造成的
即使你在 nginx.service 指定了你的www⽤户,还是会报错,因为⽆法启动使⽤80 443端⼝
你只需要把
#User=www
#Group=www
注意掉就可以了,其他的服务基本直接加上就可以了,⽐如fpm es
读好书乐趣无穷幼儿短小故事注意:修改了.service之后需要执⾏ systemctl daemon-reload
es的启动脚本
[Service]
Type=notify
RuntimeDirectory=elasticsearch
PrivateTmp=true
Environment=ES_HOME=/usr/share/elasticsearch
Environment=ES_PATH_CONF=/etc/elasticsearch
Environment=PID_DIR=/var/run/elasticsearch
Environment=ES_SD_NOTIFY=true
EnvironmentFile=-/etc/sysconfig/elasticsearch
WorkingDirectory=/usr/share/elasticsearch
User=elasticsearch
Group=elasticsearch
ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid --quiet
# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# elasticsearch logging system is initialized. Elasticsearch
# stores its logs in /var/log/elasticsearch and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
# Allow a slow startup before the systemd notifier module kicks in to extend the timeout TimeoutStartSec=75
[Install]
WantedBy=multi-user.target
View Code
php-fpm的启动脚本
[Unit]
Description=php8-fpm
After=syslog.target network.target
[Service]
Type=simple
PIDFile=/usr/local/php8/php-fpm.pid
ExecStart=/usr/local/php8/sbin/php-fpm -c /usr/local/php8/etc/php.ini -y /usr/local/php8/f ExecReload=/bin/kill -USR2 $MAINPID
ExecStop=/bin/kill -SIGINT $MAINPID
User=www
Group=www
灰姑娘歌词[Install]
快乐暑假手抄报内容文字WantedBy=multi-user.target
其他解决办法
⽅法⼀:
所有⽤户都可以运⾏(因为是755权限,⽂件所有者:root,组所有者:root)
./nginx/
chmod 755 ./nginx/
chmod u+s ./nginx/
⽅法⼆:
仅 root ⽤户和 wyq ⽤户可以运⾏(因为是750权限,⽂件所有者:root,组所有者:www)
chown root.www ./nginx/
chmod 750 ./nginx/
chmod u+s ./nginx/
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论