Setup: CWP on AlmaLinux 8.10, nginx 1.24.0 from appstream, default config with "user nobody;".
After every nginx package update, uploads larger than client_body_buffer_size start failing. The RPM resets /var/lib/nginx and /var/lib/nginx/tmp to "nginx:root 0770", so the nobody worker can't traverse into them to write client body temp files. SELinux is off, this is just DAC.
Confirm with:
rpm -q --queryformat "[%{FILEMODES:perms} %{FILEUSERNAME}:%{FILEGROUPNAME} %{FILENAMES}\n]" nginx | grep /var/lib/nginx
The usual chown fix works until the next update.
Permanent fix that survives updates: move the temp paths out of /var/lib/nginx into /var/cache/nginx (not owned by any RPM) and add them to nginx.conf:
client_body_temp_path /var/cache/nginx/client_body 1 2;
fastcgi_temp_path /var/cache/nginx/fastcgi 1 2;
uwsgi_temp_path /var/cache/nginx/uwsgi 1 2;
scgi_temp_path /var/cache/nginx/scgi 1 2;
Anyone else hitting this? Would it make sense for CWP to ship the default nginx.conf with these paths set, or switch the default user to "nginx" to match the RPM?