X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/0b6013ac5520b7508474705d654f1384994d10e5..60a72f91316ab1d878420adceb98e585c0e3b72f:/lib/boot/nginx.go

diff --git a/lib/boot/nginx.go b/lib/boot/nginx.go
index 07ff1fc1d3..d14d051520 100644
--- a/lib/boot/nginx.go
+++ b/lib/boot/nginx.go
@@ -12,6 +12,7 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"os/user"
 	"path/filepath"
 	"regexp"
 
@@ -100,13 +101,26 @@ func (runNginx) Run(ctx context.Context, fail func(error), super *Supervisor) er
 			}
 		}
 	}
+
+	args := []string{
+		"-g", "error_log stderr info;",
+		"-g", "pid " + filepath.Join(super.wwwtempdir, "nginx.pid") + ";",
+		"-c", conffile,
+	}
+	// Nginx ignores "user www-data;" when running as a non-root
+	// user... except that it causes it to ignore our other -g
+	// options. So we still have to decide for ourselves whether
+	// it's needed.
+	if u, err := user.Current(); err != nil {
+		return fmt.Errorf("user.Current(): %w", err)
+	} else if u.Uid == "0" {
+		args = append([]string{"-g", "user www-data;"}, args...)
+	}
+
 	super.waitShutdown.Add(1)
 	go func() {
 		defer super.waitShutdown.Done()
-		fail(super.RunProgram(ctx, ".", nil, nil, nginx,
-			"-g", "error_log stderr info;",
-			"-g", "user www-data; pid "+filepath.Join(super.wwwtempdir, "nginx.pid")+";",
-			"-c", conffile))
+		fail(super.RunProgram(ctx, ".", runOptions{}, nginx, args...))
 	}()
 	// Choose one of the ports where Nginx should listen, and wait
 	// here until we can connect. If ExternalURL is https://foo (with no port) then we connect to "foo:https"