Question posted in 
Periodically Nginx change owner (from "myuser" to "nginx") and permissions for log files (/apps/nginx_logs/). How i can disable this behavior?
I read something about the /etc/logrotate.conf, but did not really understand how to do it.
part of /etc/logrotate.conf
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
part of /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
keepalive_timeout 1800;
proxy_send_timeout 1800s;
proxy_read_timeout 1800s;
proxy_connect_timeout 1800s;
send_timeout 1800s;
client_max_body_size 150m;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SH:ECDHE-ECDSA-AES128-GCM-SHA256:!aNULL:!MD5:!3DES:!DES;
ssl_prefer_server_ciphers on;
proxy_set_header X-SSL-Client_Cert $ssl_client_cert;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
include /etc/nginx/conf.d/*.conf;
}
2
Answers
From my observation this is because the master nginx process in your case is run by user "myuser" and the worker processes are run by the user defined in your nginx.conf: "user nginx;" (while nginx is running, use command "ps -efl | grep nginx" to see the running processes and their owners).
When the log files do not exist at startup, they are created by the master nginx process and would therefore have the owner, group, and umask defined permissions of "myuser". When the log files are rolled (probably by logrotate cron job) and nginx is running at the time they are rolled, an nginx worker process will create the log files while processing the next request and the log files would have the owner, group and umask defined permissions of user "nginx". If nginx was not running when the log files were rolled, they would again be created at startup by the master process owner.
As @misterj said this might be an issue of a race condition.
I am having the same issue, but I found that the logrotate has a "postrotate" option that allows you to place a command or script file to run after the rotation has taken place and you can use $1 as the rotated file path. https://linux.die.net/man/8/logrotate
So far this is working, but I haven’t tested it for that long to know for sure. I will update this once I know for sure.
I need my logs to be owned by a different user and my logs are being stored elsewhere than the default folder. So here is what I am using for my logrotate for my users.
This will look at all the files in the /logs folder and set their owner to the same as the logs folder owner and permissions to 0660. This scripts runs for all files inside the log folder regardless if it is the file being rotated, but you can modify it if needed.