Author Topic: Nginx uploads fail after every package update on CWP / AlmaLinux 8  (Read 330 times)

0 Members and 1 Guest are viewing this topic.

Offline
**
Setup: CWP on AlmaLinux 8.10, nginx 1.24.0 from appstream, default config with "user nobody;".

After every nginx package update, uploads larger than client_body_buffer_size start failing. The RPM resets /var/lib/nginx and /var/lib/nginx/tmp to "nginx:root 0770", so the nobody worker can't traverse into them to write client body temp files. SELinux is off, this is just DAC.

Confirm with:
    rpm -q --queryformat "[%{FILEMODES:perms} %{FILEUSERNAME}:%{FILEGROUPNAME} %{FILENAMES}\n]" nginx | grep /var/lib/nginx

The usual chown fix works until the next update.

Permanent fix that survives updates: move the temp paths out of /var/lib/nginx into /var/cache/nginx (not owned by any RPM) and add them to nginx.conf:

    client_body_temp_path /var/cache/nginx/client_body 1 2;
    fastcgi_temp_path     /var/cache/nginx/fastcgi 1 2;
    uwsgi_temp_path       /var/cache/nginx/uwsgi 1 2;
    scgi_temp_path        /var/cache/nginx/scgi 1 2;

Anyone else hitting this? Would it make sense for CWP to ship the default nginx.conf with these paths set, or switch the default user to "nginx" to match the RPM?

Offline
*****
Re: Nginx uploads fail after every package update on CWP / AlmaLinux 8
« Reply #1 on: May 19, 2026, 01:55:03 PM »
On one server, I've been with the default CWP Nginx 1.24 config, but with the Rift CVE, I switched over to the 1.31 AppStream version. So I haven't noticed the issue until now. But as a responsible sysadmin, with the switch to the AppStream-managed version I will accommodate permissions and/or the main conf as needed (thanks for the head's up!). No need to be bound by the CWP defaults if you aren't using their Nginx compiled from source.

Offline
**
Re: Nginx uploads fail after every package update on CWP / AlmaLinux 8
« Reply #2 on: May 19, 2026, 02:30:18 PM »
Thanks for chiming in. Good to know I'm not the only one running the AppStream nginx under CWP.

Quick note on your point: even when you "accommodate permissions" on /var/lib/nginx, the fix doesn't stick across package updates. The RPM ships /var/lib/nginx and /var/lib/nginx/tmp with explicit %attr(0770, nginx, root) in the spec, and dnf reapplies those attributes on every upgrade automatically, without any postinstall scriptlet. That's why a one-shot chown isn't enough if you keep user=nobody in nginx.conf. The temp paths really do need to move out of /var/lib/nginx (or you switch user to nginx, which has its own implications for CWP integrations).

Still hoping someone from the CWP team can weigh in on whether the shipped default should set explicit *_temp_path or move to user=nginx.

Offline
****
Re: Nginx uploads fail after every package update on CWP / AlmaLinux 8
« Reply #3 on: May 20, 2026, 10:04:57 AM »
try to add the custom "chown", "chmod" commands to:
/etc/cron.daily/cwp
right after:
Code: [Select]
/usr/local/cwp/php71/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.phpto fix the permissions after the daily cwp update.

Offline
**
Re: Nginx uploads fail after every package update on CWP / AlmaLinux 8
« Reply #4 on: May 22, 2026, 05:34:15 PM »
try to add the custom "chown", "chmod" commands to:
/etc/cron.daily/cwp
right after:
Code: [Select]
/usr/local/cwp/php71/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.phpto fix the permissions after the daily cwp update.

I prefer my approach but yours also works.

But this issue happens to someone else? I have it on all my servers.

Offline
****
Re: Nginx uploads fail after every package update on CWP / AlmaLinux 8
« Reply #5 on: May 25, 2026, 06:22:50 PM »
It can be solved in one more way using an RPM:

Create and install an RPM package used as a trigger. The task of the custom RPM is to run a script if the "nginx" RPM is updated/installed. The script can do anything (fix permissions).

Offline
***
Re: Nginx uploads fail after every package update on CWP / AlmaLinux 8
« Reply #6 on: May 25, 2026, 11:45:32 PM »
try to add the custom "chown", "chmod" commands to:
/etc/cron.daily/cwp
right after:
Code: [Select]
/usr/local/cwp/php71/bin/php -d max_execution_time=1000000 -q /usr/local/cwpsrv/htdocs/resources/admin/include/cron.phpto fix the permissions after the daily cwp update.

I prefer my approach but yours also works.

But this issue happens to someone else? I have it on all my servers.

Yes, I'm having the same problem, and I'm resolving it with `chown` when it occurs. I even removed `/var/lib/nginx` from the installation, but then I needed to do some CWP migrations, and everything went back to square one. So, I'll make time to study and use your approach.