But is there any reason why you’re looking into micromanaging service permissions?
Because I don’t know any better, having very little base knowledge of linux.
The thought process here was that services like nginx should be running under a separate user from root and your main daily user account, only having access to the files it actually needs, but not really knowing how to achieve that. I know genuinely nothing about linux user management and feel a bit overwhelmed trying to figure out where to start :/ (especially comming from the all graphical UI experience of Windows)
Chmod is/was the only tool I’ve known about for managing permissions. I end up running stuff as root in my experimentations because I randomly run into permissions errors, but don’t know how to solve them, particularly without creating more problems for other processes.
I’m using Debian as a first Linux desktop experience; previously I’ve done some experimenting with rpis managed via ssh, mostly to run pihole, that’s about it. The rest has been windows where I was familiar.
nginx only runs the master process as root, but the actual worker processes already run under a low-privileged account called http. If you want to run the master process as well as non-root, you can follow the instructions here: https://wiki.archlinux.org/title/nginx#Running_unprivileged_using_systemd
To restrict access to files, you’d be editing the nginx config file, you can read on how to do that in the nginx documentation, or check ServerFault etc.
But the modern Linux world revolves around containers. There’s an official Docker image for nginx that you could use if you’d like, and that’d make it a much more secure - and portable option.
Also, I’d recommend checking the Arch Wiki first for anything Linux related - the wealth of knowledge and documentation there is unmatched, and is useful even if you’re not running Arch.
Because I don’t know any better, having very little base knowledge of linux.
The thought process here was that services like nginx should be running under a separate user from root and your main daily user account, only having access to the files it actually needs, but not really knowing how to achieve that. I know genuinely nothing about linux user management and feel a bit overwhelmed trying to figure out where to start :/ (especially comming from the all graphical UI experience of Windows)
Chmod is/was the only tool I’ve known about for managing permissions. I end up running stuff as root in my experimentations because I randomly run into permissions errors, but don’t know how to solve them, particularly without creating more problems for other processes.
I’m using Debian as a first Linux desktop experience; previously I’ve done some experimenting with rpis managed via ssh, mostly to run pihole, that’s about it. The rest has been windows where I was familiar.
Okay so that’s different.
nginx only runs the master process as root, but the actual worker processes already run under a low-privileged account called
http
. If you want to run the master process as well as non-root, you can follow the instructions here: https://wiki.archlinux.org/title/nginx#Running_unprivileged_using_systemdTo restrict access to files, you’d be editing the nginx config file, you can read on how to do that in the nginx documentation, or check ServerFault etc.
But the modern Linux world revolves around containers. There’s an official Docker image for nginx that you could use if you’d like, and that’d make it a much more secure - and portable option.
Also, I’d recommend checking the Arch Wiki first for anything Linux related - the wealth of knowledge and documentation there is unmatched, and is useful even if you’re not running Arch.
Thanks for your help m8, I appreciate it.
I’ll have to do some more reading once I’ve got some time.